Crypto gift card platform Bitrefill disclosed a cyberattack on March 1 that originated from a compromised employee laptop. Attackers gained access to production secrets and moved laterally into databases and cryptocurrency wallets.
Investigation revealed indicators matching North Korean state-sponsored groups Lazarus and Bluenoroff, including malware signatures, on-chain behavior, and reused infrastructure. No full database exfiltration occurred, but approximately 18,500 purchase records were partially accessed-limited to email addresses, crypto payment addresses, and IP metadata.
For about 1,000 purchases requiring names, encrypted fields may have been exposed due to potential key compromise. Affected users were notified directly via email.
Bitrefill does not require mandatory KYC and stores verification data externally. The company stated customers do not need immediate action but should remain vigilant against phishing attempts.
Most services-payments, inventory, accounts-have resumed. Financial losses will be covered by operational capital. Enhanced security measures now include tighter access controls, upgraded monitoring, and ongoing third-party audits.