Bitrefill Cyberattack: Hackers Mirror North Korea’s Lazarus Group

Bitrefill, an e-commerce platform, reported in a post on X today that it was hit by a cyberattack on March 1, 2026. The company said that the attack looks very similar to previous attacks by North Korea’s Lazarus Group, also known as Bluenoroff.

The investigation reportedly examined the attack method, malware used, and traced the activity on the blockchain, all of which pointed to the same group.

How the attack happened

In the post, Bitrefill explained that the attack started when an attacker got into an employee’s laptop. From that laptop, they stole an old password that let them access a snapshot of Bitrefill’s secret production information. Using that, the attackers were able to get into more of the company’s systems, including parts of the database and some cryptocurrency wallets.

The company said it first noticed something wrong when it saw unusual purchasing patterns with certain suppliers.

“We realized that our gift card stock and supply lines were being exploited,” Bitrefill said. At the same time, some of their cryptocurrency wallets were also emptied, and the money was sent to wallets controlled by the attackers. When they found the breach, Bitrefill took all of its systems offline to stop the attack from spreading.

Impact on customers and data

Bitrefill operates a global e-commerce business with many suppliers, thousands of products, and multiple payment methods in different countries. The company said turning everything off safely and turning it back on is not that simple.

The company also said customer data was not the main target. The attackers only ran a small number of checks to see what they could steal, mostly cryptocurrency and gift card stock. 

Bitrefill said it keeps very little personal data and does not force customers to verify their accounts. When account verification is done, the information is stored with external KYC providers and is not backed up in Bitrefill’s systems.

However, about 18,500 purchase records were accessed, including email addresses, crypto payment addresses, and IP information. Around 1,000 purchases required customer names, which were encrypted. Since attackers may have gotten the encryption keys, Bitrefill treats this data as possibly accessed. Customers affected were notified by email.

Plan for full recovery 

Since the attack, the company said it has been working with top security researchers, response specialists, blockchain analysts, and law enforcement to understand the attack and prevent it from happening again.

Bitrefill also said it remains well-funded and profitable. Payments, stock, accounts, and sales are mostly back to normal.

“Almost everything is back to normal: payments, stock, accounts. Sales volumes are also back to normal, and we are eternally thankful to our customers for your continued confidence in us,” the company said.

Brief details on the Lazarus Group

The Lazarus Group is a well-known group that has been terrorizing the crypto space for years. The group is known for targeting well-established platforms and companies to hack and steal funds from them. 

Previously, the group was linked to a hot wallet hack on Upbit, which resulted in about $32 million in losses on November 27, 2025. It was also tied to the hack on CoinDCX, an Indian crypto exchange, of which it lost about $44 million on July 19, 2025. 

Authorities have taken action in response to these attacks. Last year, the U.S. Treasury sanctioned North Korean entities, including the Korea Mangyongdae Computer Technology Company and Ryujong Credit Bank, for laundering cryptocurrency that was stolen to fund weapons programs.

Despite these efforts, the Lazarus group remains a major threat to the crypto space. 

Also Read: U.S. Cracks Down on Crypto-Fueled Revenue Stream of DPRK Hackers

Follow The Crypto Times on Google News to Stay Updated!