Crypto e-commerce store Bitrefill has revealed it was the victim of a cybersecurity attack on March 1, with the methods used closely resembling those of Lazarus Group, North Korea’s notorious hacking organization.
In a post to X on Tuesday, Bitrefill said the hackers used malware, onchain tracing and reused IP and email infrastructure to compromise an employee’s laptop, enabling them to drain funds from the company’s hot wallets while also accessing 18,500 purchase records, potentially revealing “limited customer information.”
Bitrefill said BlueNoroff Group, another North Korean hacking organization with close ties to the Lazarus Group, may have also been involved or been the sole attacker.
Source: Bitrefill
Bitrefill, which enables customers to spend crypto on real-world products and gift cards, said there was no evidence that the hackers extracted its database, suggesting the motive was financial.
“There is no evidence that they extracted our entire database, only that the attackers ran a limited number of queries consistent with probing to understand what there was to steal, including cryptocurrency and Bitrefill gift card inventory.”
While Bitrefill didn’t disclose how much funds were stolen, the company said it “will absorb” those losses from its operational capital.
"Almost everything is back to normal: payments, stock, accounts," Bitrefill said, adding: “Sales volumes are also back to normal, and we are eternally thankful to our customers for your continued confidence in us."
Despite many crypto platforms strengthening security measures in recent years, sophisticated hackers have continued to find ways to breach their defenses.
Related: Bonk.fun warns hackers hijacked domain in wallet-drainer attack
Lazarus Group remains the crypto industry’s most formidable threat and was behind the largest hack in crypto history, when it stole $1.4 billion from crypto exchange Bybit in February 2025.
Bitrefill has upped its security measures
Bitrefill said it contacted law enforcement and worked with crypto security firms Security Alliance, FearsOff Security, Recoveris.io and zeroShadow to navigate the cybersecurity incident. Part of its initial response was to turn its systems offline to contain the attack.
Bitrefill said it has already “significantly improved” its cybersecurity practices since the incident.
Those measures include cybersecurity reviews with security researchers and implementing their recommendations, tightening internal access controls and improving monitoring strategies for faster detection and response.
