Bitrefill Hack Exposes 18,500 Records, Lazarus Group Identified as Likely Attacker

Bitrefill, the crypto-to-gift-card platform, disclosed on March 17 that a cyberattack on March 1 drained funds from its hot wallets and exposed approximately 18,500 purchase records, with investigators pointing to North Korea’s Lazarus Group as the likely perpetrator. The company worked alongside cybersecurity firms zeroShadow, SEAL_Org, and Recoveris before going public, spending more than two weeks building a forensic picture of what happened. The level of discipline in that response matters: rushing a disclosure without evidence rarely serves customers or the broader ecosystem.

The attack began on a single employee laptop. Attackers extracted a legacy credential stored on that device, one that had not been retired from production systems. That credential unlocked a snapshot containing production secrets, which in turn gave the intruders escalating access to Bitrefill’s internal database and several cryptocurrency hot wallets. The financial loss remains undisclosed, but The Block confirmed the company will absorb all losses from operational capital, with no disruption to customer services.

What the Indicators Say About Attribution

Attribution in state-sponsored hacking is rarely clean, and Bitrefill was careful to frame its findings as indicators rather than certainties. The similarities investigators identified include:

• Malware signatures consistent with prior Lazarus Group deployments
• Reused IP addresses and email infrastructure tied to known DPRK operations
• On-chain transaction patterns matching previous Lazarus fund movements

Bitrefill also noted that BlueNoroff, a Lazarus subgroup specialised in financial system targeting, may have been involved independently or alongside the broader group. The convergence of those technical markers across malware, network infrastructure, and blockchain forensics is what distinguishes a credible attribution claim from speculation. According to Blockonomi’s detailed breakdown, Chainalysis data puts North Korean-linked groups responsible for over $2 billion in crypto thefts during 2025 alone. This incident fits a documented pattern of patient, credential-based infiltration rather than brute-force exploits.

Market OverviewTop 10 by market cap

1Bitcoin BTC$63,912.00▲0.62%

2Ethereum ETH$1,676.92▲0.55%

3Tether USDT$0.9994▲0.05%

4BNB BNB$606.68▲0.27%

5USDC USDC$0.9998▲0.00%

6XRP XRP$1.15▲0.91%

7Solana SOL$67.82▲1.43%

8TRON TRX$0.3167▲1.56%

9Figure Heloc FIGR_HELOC$1.03▲0.07%

10Dogecoin DOGE$0.0878▲0.85%

Prices via CoinGecko · Updated 4 min ago

Customer Data Exposure: Scope and Response

The 18,500 purchase records accessed contained email addresses, cryptocurrency payment addresses, and IP metadata. For roughly 1,000 of those records, encrypted customer names were also reachable, and because the attackers may have obtained the decryption keys, Bitrefill treated that name data as fully compromised. Affected users have been notified directly. Bitrefill stressed that customer data was not the primary objective: logs show the intruders ran limited queries focused on probing gift card inventory and crypto holdings rather than harvesting personal records at scale.

The platform’s architecture works in its favour here. Bitrefill does not require mandatory KYC for most transactions, and any KYC data that does exist is held by external providers outside Bitrefill’s own systems. That design choice, often framed as a privacy feature, also meaningfully limits the blast radius when an intrusion occurs. This pattern of credential compromise targeting legacy access points is not isolated to Bitrefill; the domain hijack attack on Bonk.fun earlier this month showed similar themes of account-level entry points becoming the vector for broader damage.

Infrastructure Security Cannot Be an Afterthought

The core lesson here is structural. A single unrotated credential on one laptop became the entry point to production infrastructure. Bitrefill has committed to expanded monitoring and tightened internal controls. That is the right direction, but the industry needs to treat credential lifecycle management with the same rigor it applies to smart contract audits. State-sponsored actors are not waiting for protocols to make obvious mistakes; they are hunting for the quiet gaps left by routine negligence. Building resilient crypto infrastructure means closing those gaps before the attackers find them.