- Following an investigation, Bitrefill has accused the Lazarus Group of attacking its platform.
- Bitrefill says the attack details are consistent with the group’s operational pattern.
- Hackers accessed 18,500 purchase records on Bitrefill, exposing user data.
Bitrefill, a crypto e-commerce and gift card platform, has accused the state-sponsored North Korean hacking apparatus, Lazarus Group, of being behind its cyberattack earlier this month.
A Consistent Pattern With Lazarus Group’s Operations
In a post on X, the cryptocurrency platform said the indicators it observed during its investigation of the attack are consistent with previous attacks carried out by the group. According to Bitrefill, the modus operandi, malware used, on-chain tracing, and reused IP/email addresses were similar to those deployed by the Lazarus Group against other companies in the crypto industry.
In the meantime, Bitrefill confirmed that hackers drained some of the company’s hot wallets on March 1 and made suspicious purchases with its vendors. The crypto firm did not state the amount lost during the attack. However, it confirmed that the hackers accessed 18,500 purchase records, potentially revealing “limited customer information,” such as email addresses, crypto payment addresses, and metadata with IP addresses.
How it Happened
Bitrefill’s report shows that the hackers breached its system through an employee’s laptop, from which they exfiltrated legacy credentials. Subsequently, they used the stolen information to access a snapshot containing production secrets before escalating their access to broader infrastructure, including parts of the company’s database and certain cryptocurrency wallets. In the meantime, Bitrefill said it has contacted about 1,000 users whom it found to be at high risk of having their encrypted customer names potentially revealed.
North Korea’s Threat to Cryptocurrency Security
According to Chainalysis’s estimation, the Democratic People’s Republic of Korea (DPRK) is the biggest and most active threat to crypto security. The blockchain analytics platform estimated that DPRK-linked entities, such as Lazarus Group, along with individuals, stole a record $2.02 billion via crypto thefts in 2025. That includes the highest-ever single crypto exploit by volume, the $1.5 billion stolen from Bybit by the Lazarus Group.
Meanwhile, Bitrefill has informed users about ongoing efforts by the team, in collaboration with industry security researchers, incident response specialists, on-chain analysts, and law enforcement, to understand what happened and how to prevent it from happening again.
Related: North Korea’s Lazarus Group Linked to $37M Upbit Hack, Timing Clashes with $10B Naver Deal
Disclaimer: The information presented in this article is for informational and educational purposes only. The article does not constitute financial advice or advice of any kind. Coin Edition is not responsible for any losses incurred as a result of the utilization of content, products, or services mentioned. Readers are advised to exercise caution before taking any action related to the company.
