Bitrefill was attacked by a North Korean hacker group, resulting in approximately 18,500 user purchase records being accessed.

Deep Tide TechFlow News, March 18 — According to an official post on Bitrefill’s X platform, on March 1, 2026, the cryptocurrency gift card platform Bitrefill was subjected to a cyberattack. Based on indicators such as attack methods, malicious software used, on-chain tracking, and reused IP addresses and email addresses, investigators believe this attack closely resembles previous assaults by the North Korean DPRK Lazarus/Bluenoroff hacking group targeting the crypto industry.

The initial entry point was an employee’s compromised laptop, which the attacker used to obtain historical credentials, then access snapshots containing production keys, and gradually move laterally to broader infrastructure, including some databases and cryptocurrency hot wallets. Funds from the hot wallets were subsequently transferred to addresses controlled by the attacker.

Regarding user data, approximately 18,500 purchase records were accessed by the attacker, involving email addresses, encrypted payment addresses, and IP metadata; about 1,000 records included user names, which were stored encrypted. However, since the attacker may have obtained the encryption keys, affected users have been notified via individual emails. The company states there is currently no evidence that the attacker exported the entire database.

Bitrefill has now resumed normal operations. The company claims its financial position remains stable, and it will bear the losses with its own operating funds. It also commits to continuously strengthening access controls, log monitoring, and emergency response mechanisms.