Bitrefill Says North Korea-Linked Hack Drained Funds and Exposed 18,500 Records

Bitrefill Says North Korea-Linked Hack Drained Funds and Exposed 18,500 Records

N
News Editor 01
2026-07-10 00:52:13
Bitrefill said a March 1 cyberattack linked to suspected North Korean hacking groups drained company funds and exposed limited customer data tied to about 18,500 purchase records. The company says operations have largely returned to normal.
BitrefillNorth Korea hackersLazarusdata breachcrypto payments

Crypto payments and gift card platform Bitrefill has disclosed that it was hit by a cyberattack on March 1, an incident it says bears similarities to operations previously attributed to North Korean hacking groups including Lazarus and Bluenoroff. The breach resulted in company funds being drained and a limited exposure of customer-related data. Bitrefill said most operations have now largely returned to normal and that the financial losses will be covered with operating capital.

Compromised employee laptop led to wider access

According to the company’s incident report, the attack began when an employee laptop was compromised. That foothold allowed the attackers to extract legacy credentials tied to production systems and then escalate access into a broader portion of Bitrefill’s infrastructure, including parts of the corporate database and some cryptocurrency hot wallets. The company said its attribution assessment was based on malware similarities, reused infrastructure, and onchain tracing patterns that resemble earlier campaigns linked to North Korean threat actors.

Bitrefill said it detected the intrusion after spotting suspicious purchasing activity and irregularities involving vendors. Investigators later determined that the attackers exploited gift card inventory systems while at the same time moving funds out of hot wallets to addresses under their control. Once the breach was confirmed, the company took systems offline immediately, describing the shutdown as necessary to contain the attack across its global e-commerce operations involving multiple vendors, payment channels, and regions.

18,500 purchase records accessed

On the data side, Bitrefill said roughly 18,500 purchase records were accessed. The exposed information included limited customer data such as email addresses, cryptocurrency payment addresses, and IP metadata. In addition, about 1,000 records containing customer names were considered potentially exposed. Although those names were encrypted in the database, the company said possible access to encryption keys meant those records had to be treated as at risk, and affected users have been notified.

At the same time, Bitrefill stressed that it stores only minimal personal data and does not require mandatory know-your-customer verification. Identity-related data, where applicable, is handled by external providers rather than stored internally. The company also said there is no evidence that the entire database was exfiltrated.

Company working with security firms and law enforcement

Bitrefill said it is coordinating with cybersecurity firms, onchain analysts, and law enforcement while also tightening internal controls, expanding monitoring systems, and carrying out additional security audits. The company advised users to remain alert to suspicious messages, but said that no immediate action is currently required from users.

The incident highlights the layered risks facing crypto commerce platforms, where endpoint compromise, legacy credentials, and hot wallet exposure can combine into a broader operational breach. Even for firms that minimize stored personal data, employee devices, supply-chain systems, and wallet security remain critical points of defense.

This article was originally published by Bit.Fan. For more cryptocurrency news and market insights, visit www.bit.fan.
300

Disclaimer:

The market information, project data, and third-party content displayed on this platform are for industry information sharing only and do not constitute any form of investment advice or return commitment.

Cryptocurrency trading carries high risks. Users should fully assess their risk tolerance and make independent decisions. All profits, losses, and legal responsibilities are borne by the users themselves.