Bitrefill reports Lazarus-style exploit drained funds and exposed some user data

Bitrefill, the established crypto-to-gift-card platform, was hit by a sophisticated cyberattack earlier this month that drained company funds and exposed some customer data.

The team disclosed the incident in an X article on Tuesday, saying that it shares strong similarities with operations linked to Lazarus Group, the notorious North Korean cybercrime collective believed to be responsible for billions of dollars in crypto thefts.

According to Bitrefill, the breach happened on March 1, when attackers gained access to an employee’s device and extracted a legacy login credential.

From there, they used that foothold to pull production secrets and move deeper into Bitrefill’s infrastructure, escalating privileges until they reached parts of its database and certain crypto wallets.

Bitrefill first detected the intrusion after noticing unusual purchasing activity from suppliers.

The company discovered that its gift card inventory and supply chains had been exploited alongside wallet drains. Upon identifying the breach, Bitrefill took all systems offline as part of its containment protocol.

“Getting hit by a sophisticated attack sucks (a lot). We’ve been in business for over 10 years, and it’s the first time we’ve been hit this hard. But we survived,” the company stated in its incident report.

Scope of data exposure

The breach affected about 18,500 purchase records, including customer email addresses, crypto payment addresses, and metadata such as IP addresses.

Roughly 1,000 transactions involved products that required customer names. While that information was encrypted, it may have been exposed if attackers accessed the encryption keys. Bitrefill said it has notified affected customers.

The company said customer-held gift cards, store credits, and account balances were not impacted. It also noted that it does not require mandatory know-your-customer checks, and any KYC data submitted for higher purchase limits is handled by an external provider, not stored on its systems.

Investigators found multiple signs linking the attack to the Lazarus Group and its affiliate Bluenoroff, including malware similarities, blockchain tracing patterns, and reused IP and email infrastructure tied to earlier crypto breaches.

Bitrefill said it worked with security firms and law enforcement in responding to the incident.

Bitrefill plans to cover the financial losses caused by the attack using its operational capital. The platform has restored most functions, including payments, inventory, and customer accounts, with sales volumes returning to pre-incident levels.

The company said it is strengthening its security posture through additional penetration testing, tighter access controls, improved logging and monitoring, and updated incident response procedures, including automated shutdown protocols.