Cryptocurrency payments platform Bitrefill has attributed a March 1, 2026 cyberattack to the North Korea-linked Lazarus Group. The breach compromised production keys, drained hot wallets, and exposed approximately 18,500 purchase records containing email addresses, crypto payment addresses, and IP addresses.
About 1,000 records included encrypted usernames. The company said customer data was not the primary target, noting attackers focused on cryptocurrency holdings and gift card inventory. Affected users have been notified.
The attack originated from a compromised employee laptop with legacy credentials, enabling access to critical infrastructure. Unusual supplier transactions revealed the breach, prompting Bitrefill to take systems offline temporarily.
Operations have since resumed. Bitrefill is covering financial losses through operational capital and enhancing security with external penetration tests, stricter access controls, and improved monitoring.
Lazarus, also known as Bluenoroff, has previously targeted major crypto platforms including Ronin Network, Horizon Bridge, and WazirX. Despite the breach, Bitrefill reaffirmed its financial stability and commitment to customer trust.