TechFlow News: On March 18, Bitrefill announced on its official X (formerly Twitter) account that its cryptocurrency gift card platform was subjected to a cyberattack on March 1, 2026. Based on multiple indicators—including the attack methodology, malware used, on-chain tracking, and reused IP addresses and email accounts—investigators concluded that this incident bears strong similarities to prior attacks against the cryptocurrency industry carried out by the North Korean DPRK Lazarus/Bluenoroff hacking group.
The initial point of intrusion was an employee’s compromised laptop. Using credentials stolen from this device, the attackers gained access to snapshots containing production keys and then progressively expanded their access laterally across broader infrastructure—including certain databases and hot wallets holding cryptocurrency—which were subsequently drained into addresses controlled by the attackers.
Regarding user data, approximately 18,500 purchase records were accessed by the attackers. These records included metadata such as email addresses, cryptocurrency payment addresses, and IP addresses. Among these, roughly 1,000 records contained users’ names; although encrypted at rest, the attackers may have obtained the corresponding encryption keys, prompting Bitrefill to notify those affected users individually via email. The company stated there is currently no evidence indicating the attackers performed a full database export.
Bitrefill has since resumed normal operations. The company affirmed its financial stability and confirmed it will absorb all losses using its own operating funds. It also pledged to continuously strengthen access controls, logging and monitoring systems, and incident response capabilities.
