Crypto e-commerce platform Bitrefill disclosed it suffered a cyberattack earlier this month, which it believes is linked to the North Korea-backed Lazarus Group. The breach, which began on March 1, 2026, originated from a compromised employee laptop, providing attackers with an entry point into the company's internal systems.
From there, the intruders accessed parts of Bitrefill's infrastructure, including segments of its database and certain cryptocurrency hot wallets. The company confirmed that some funds were drained from these wallets and that unauthorized purchases were made through vendor channels. While the exact scale of the financial loss has not been disclosed, Bitrefill stated it will cover any losses from its own operational capital.
The attackers accessed approximately 18,500 purchase records, which may include email addresses, crypto payment details, and technical metadata such as IP information. Roughly 1,000 of those records carry a higher risk due to the possible exposure of encrypted customer names. Bitrefill has contacted affected users in these higher-risk categories.
The company's investigation found strong overlaps with past Lazarus-linked operations, citing similarities in malware, infrastructure, and behavioral patterns. "Based on our investigation and our logs we don’t have reason to think that customer data was the target of this breach," the company stated. "There is no evidence that they extracted our entire database, only that the attackers ran a limited number of queries consistent with probing to understand what there was to steal."
Bitrefill took its systems offline to contain the incident, disrupting operations before restoring most services, including payments, inventory, and user accounts. "Almost everything is back to normal: payments, stock, accounts," the company reported, adding that activity levels have recovered. Cybersecurity firms zeroShadow, SEAL911, and RecoverisTeam assisted in the response and investigation.
The incident highlights the persistent threat of state-sponsored cyberattacks in the crypto sector. Recent estimates place crypto theft tied to North Korean actors at over $2 billion in a single year. These attacks often rely on social engineering and compromised endpoints rather than direct technical vulnerabilities alone.
