According to the official incident report released by Bitrefill, the company experienced a major cyberattack on March 1. The nature and execution of the breach closely resemble tactics used by the North Korean-linked hacking group Lazarus Group, also known as Bluenoroff.The report states that the attack began with the compromise of an employee’s laptop, providing the attackers with initial access to internal systems. Using a legacy credential, they were able to access a snapshot containing sensitive production secrets. This allowed them to escalate their access and reach critical infrastructure, including databases and crypto wallets. The breach was first identified after unusual purchasing patterns were observed among suppliers, which led to the discovery that gift card inventory and funds from hot wallets had been drained. The company immediately shut down its systems to prevent further damage.
Customer Data Exposure
As detailed in the report, customer data was not the primary target of the attack. However, approximately 18,500 purchase records were accessed by the attackers. These records included email addresses, cryptocurrency payment addresses, and IP addresses. In around 1,000 instances, customer names were also present. Although this information was encrypted, the report notes that the encryption keys may have been compromised. Affected users have been directly notified, while others have been advised to remain cautious of any suspicious crypto-related communications.
Company Response and Security Measures
Following the incident, Bitrefill has been working with cybersecurity experts, on-chain analysts, and law enforcement authorities as part of its ongoing investigation. The report highlights several improvements made to strengthen security, including tighter internal access controls, enhanced monitoring and logging systems, and comprehensive security testing with external experts. Incident response procedures have also been reviewed and upgraded.
Services Restored, Losses Covered
The report emphasizes that this is the first major security incident in Bitrefill’s more than ten years of operation. The company has absorbed the financial losses through its operational reserves and confirmed that all services, including payments, stock availability, and account access, have been fully restored. Sales activity has also returned to normal levels.
A Wake-Up Call for the Crypto Industry
The incident report underscores a critical lesson for the crypto industry: even established platforms remain vulnerable to internal security weaknesses, particularly those involving employee devices and outdated credentials. The continued activity of groups like Lazarus Group highlights the growing sophistication of cyber threats. While Bitrefill’s transparency and swift recovery are notable, the report makes it clear that strengthening internal security must remain a top priority moving forward.
