Close Menu
    Home / Contact
    Zuna
    Crime

    North Korea’s Lazarus Group Suspected in Bitrefill Cyberattack Incident

    Bitrefill reports a cyberattack from North Korea's Lazarus Group, leading to stolen funds and limited customer data exposure.
    Kelvin MuneneBy 3 Mins Read
    Hackers targeted the Ethereum Classic network via a 51 percent attack.

    TLDR

    • Bitrefill suffered a cyberattack by Lazarus Group, resulting in stolen funds from crypto wallets.

    • The breach affected 18,500 purchase records, with some customer data exposed.

    • The attack originated from a compromised employee laptop, similar to past Lazarus Group tactics.

    • Bitrefill assures minimal customer data loss and will absorb operational losses.

    Crypto e-commerce platform Bitrefill disclosed a cyberattack earlier this month, resulting in stolen funds and a limited exposure of customer data. The company pointed to the North Korean-linked Lazarus Group as the likely perpetrator, citing indicators such as malware similarities and reused infrastructure.

    Attack Details and Initial Response

    The attack began on March 1, 2026, when Bitrefill reported that a compromised employee’s laptop allowed attackers to access legacy credentials tied to its production systems. With these credentials, the attackers escalated their access to the company’s internal infrastructure, including segments of its database and certain cryptocurrency hot wallets.

    The company detected the breach when it noticed suspicious purchasing patterns and anomalies in vendor activity. As a precaution, Bitrefill temporarily took its systems offline to contain the breach. This immediate response allowed the company to secure its global operations and return services, such as payments and account access, to normal levels.

    Bitrefill has not disclosed the exact amount of funds stolen, but it confirmed that it would absorb the losses using operational capital. The company has reassured users that the attack did not primarily target customer data, but certain records were exposed during the incident.

    Customer Data Exposure and Potential Risks

    Approximately 18,500 purchase records were accessed during the breach. The exposed data included email addresses, cryptocurrency payment addresses, and metadata like IP addresses.

    Among these records, around 1,000 involved encrypted customer names, which are now considered potentially exposed because of the possibility that the attackers accessed encryption keys.

    Zuna

    However, Bitrefill emphasized that it stores minimal personal data and does not require mandatory know-your-customer (KYC) verification for most transactions. Any KYC information collected is handled by external providers, not stored within Bitrefill’s systems. The company said it has contacted the affected users directly to notify them of the breach.

    Link to Lazarus Group and Cybersecurity Measures

    Bitrefill’s investigation pointed to the Lazarus Group, a North Korean hacking collective, as the likely culprit. The company noted several key indicators that tied this attack to Lazarus, including the malware used, reused infrastructure like IP addresses and email accounts, and on-chain transaction patterns.

    Lazarus is well-known for its involvement in major cryptocurrency thefts, including those targeting exchanges and other crypto-related services.

    Cybersecurity firms such as zeroShadow, SEAL911, and RecoverisTeam assisted Bitrefill during the response and investigation. The company has since implemented additional security measures, including expanded monitoring systems and stronger internal controls, to prevent future incidents.

    Broader Context of State-Sponsored Cyber Threats

    The attack highlights the ongoing risk of state-sponsored cyberattacks in the digital asset sector. In 2025, groups linked to North Korea were responsible for over $2 billion in stolen cryptocurrency, according to blockchain analytics firm Chainalysis.

    These attacks have targeted a range of platforms, further underscoring the vulnerability of the crypto industry to such threats.

    Bitrefill’s recovery has been swift, with the company stating that customer activity and sales volumes have returned to normal. Despite the breach, Bitrefill continues to assure its customers that its operations are stable, and it remains confident in its ability to prevent similar incidents in the future.

    Kelvin Munene is a crypto and finance journalist with over 5 years of experience in market analysis and expert commentary. He holds a Bachelor's degree in Journalism and Actuarial Science from Mount Kenya University and is known for meticulous research in cryptocurrency, blockchain, and financial markets. His work has been featured in top publications including Coingape, Cryptobasic, MetaNews, Coinedition, and Analytics Insight. Kelvin specializes in uncovering emerging crypto trends and delivering data-driven analyses to help readers make informed decisions. Outside of work, he enjoys chess, traveling, and exploring new adventures.

    Related Posts

    ZunaBet New Crypto Casino: 250% Bonus & 75 Free Casino Spins, Claim!