Bitrefill Discloses Cyberattack That Hit Hot Wallets and Exposed 18,500 Records

Highlights:

• Bitrefill said a March 1 cyberattack hit hot wallets and 18,500 records.
• The company linked the breach to Lazarus-style tactics and a compromised employee device.
• Bitrefill restored services and said attackers mainly targeted funds, not full data.
  

Crypto payments platform Bitrefill revealed that it suffered a major cyberattack on 1 March. The company believes the incident shows several patterns seen in past attacks tied to North Korea’s Lazarus Group and its affiliate, Bluenoroff. In its post-incident investigation, Bitrefill found that the attackers accessed nearly 18,500 purchase records and drained funds from a number of its hot wallets.

Attack Began Through Employee Device

Bitrefill said the breach began when attackers compromised an employee’s laptop. The company said the attackers took an old credential from the device, which opened access to a saved snapshot holding sensitive production data. That access allowed them to move further into Bitrefill’s internal systems and reach parts of its database as well as some crypto wallets.

According to Bitrefill, the malware used in the attack, along with the reused IP and email infrastructure and the on-chain tracing patterns, closely matched methods that have been linked to North Korean threat actors in earlier cases.

Crypto payments platform Bitrefill disclosed that it suffered a cyberattack on March 1, 2026, suspected to be linked to the North Korean Lazarus Group / Bluenoroff. About 18,500 order records were accessed, involving email addresses and crypto addresses.

The breach originated… pic.twitter.com/CXBaQ7c3uj

— Wu Blockchain (@WuBlockchain) March 18, 2026

The company said it became aware of the breach after spotting unusual purchase activity involving suppliers. The unusual pattern showed that attackers were exploiting the company’s gift card inventory and supply channels. At the same time, Bitrefill found that attackers were draining some of its hot wallets and moving the stolen funds into wallets under their control. Bitrefill confirmed that the attack resulted in financial losses, though it did not share the exact figure. It said the damage would be absorbed through operational capital.

Hackers Targeted Funds and Some Customer Records

Bitrefill said attackers accessed about 18,500 order records. The exposed data included email addresses, crypto payment addresses, and metadata linked to IP activity. Attackers also reached customer names in around 1,000 orders. The company had encrypted those names in its database, but it now treats them as potentially compromised because the attackers may have also obtained the encryption keys.

Bitrefill said it found no sign that attackers copied its full customer database. The company said the attackers appeared to focus on money. They ran limited searches to find valuable assets, especially crypto funds and gift card stock. Instead of taking everything, they seemed to target what they could steal quickly. This suggests the main goal was theft, not broad customer monitoring.

Bitrefill is a crypto-commerce platform that lets users buy digital gift cards, eSIMs, and mobile top-ups with Bitcoin and other cryptocurrencies. The company presents itself as a service built to help people “live on crypto,” and offers bill payment services in some countries. Bitrefill is operated by Airfill Prepaid AB, a Sweden-registered company based in Stockholm.

Bitrefill Restores Services After the Attack

After detecting the breach, Bitrefill shut down its systems to stop the attack. It later brought services back online and said its operations have returned to normal. The company is now working with security experts, blockchain investigators, and law enforcement while improving its defences. The case also shows that crypto companies still face serious threats from state-backed hackers, especially when weak points such as employee devices and old credentials are involved.