Bitrefill has confirmed it suffered a cyberattack on March 1, 2026. The attack drained hot wallets and touched customer purchase data. One of the longest-running crypto e-commerce platforms took every system offline to contain it.
The breach started from a single compromised employee laptop. A legacy credential was pulled from that device. That one credential opened a path into a snapshot holding production secrets.
You might also like: GainBitcoin Scam: CBI Arrests Key Tech Figure Behind Fraud
The Trail Led Straight to Pyongyang
According to Bitrefill on X, indicators gathered during the investigation tied this attack directly to North Korea’s DPRK Lazarus and Bluenoroff groups. Reused IP addresses and email addresses matched past attacks on other crypto firms. The malware matched. So did the modus operandi.
Attackers moved fast once inside. They escalated access across Bitrefill’s broader infrastructure. Parts of the database were reached. Cryptocurrency wallets were drained and funds transferred to attacker-controlled addresses.
The first sign wasn’t a security alert. As Bitrefill stated on X, the team first detected suspicious purchasing patterns with certain suppliers before realizing gift card stock and supply lines were being exploited. Then the hot wallet drains appeared. Both at once.
Must read: Binance Beats Terror Lawsuit. What the Judge Actually Said
18,500 Records. What Was Actually Taken
The database access was real. Around 18,500 purchase records were accessed by the attackers. Those records carried email addresses, crypto payment addresses, and IP address metadata.
Roughly 1,000 of those purchases contained customer names. That data sits encrypted in the database. Bitrefill confirmed on X that because attackers may have accessed the encryption keys, all names in that category are being treated as potentially compromised, and affected customers have already been notified directly by email.
Bitrefill does not hold mandatory KYC data in-house. When customers verify their accounts, that data stays with an external KYC provider. No backups in Bitrefill’s system.
Also worth your time: Bitcoin STH SOPR Is Quietly Flipping Positive Again
The Response Teams That Moved Immediately
Four groups responded rapidly after the breach. Bitrefill’s incident report on X specifically thanked @zeroshadow_io, @SEAL_Org, @RecoverisTeam, and @fearsoff for their rapid response throughout the incident. Law enforcement was also engaged.
Taking a global e-commerce operation offline mid-attack is not simple. Dozens of suppliers. Thousands of products. Multiple payment methods across many countries. Bitrefill brought it all back.
A 10-Year Company That Absorbed the Hit
As Bitrefill noted in its incident post on X, this was the first time in over 10 years of operation the company had been hit this hard, and it described the experience plainly as something that “sucks a lot.”
The company says it remains profitable and well-funded. Losses will come from operational capital. Payment systems, stock, and accounts are back to normal, the company confirmed.
Security upgrades are already in motion. External pentests are ongoing. Internal access controls are being tightened further. Logging, monitoring, and automated shutdown procedures are all being reviewed and refined.
Explore more: Why Stablecoins, AI Payments, and RWAs Are Defining the New Web3 Era
At this time Bitrefill says customers do not need to take specific action. The one recommendation is to stay cautious of any unexpected communications related to Bitrefill or crypto. If that assessment changes, the company says it will notify those affected immediately.
The Lazarus Group has previously been linked to billions of dollars in crypto thefts across multiple exchanges and protocols. This attack matches the same playbook. A single weak credential. Fast escalation. Funds out before anyone notices.
Bitrefill noticed.
This article was created by News Coverage Agency, the best PR agency helping all firms gain access to media. Learn more at newscoverage.agency.