Bitrefill, a provider of crypto spending cards and e-commerce solutions, has released a comprehensive report outlining the extensive cyberattack it suffered on March 1, 2026. The company revealed that hackers accessed about 18,500 transaction records and managed to seize assets from multiple hot wallets. Details of the breach and its aftermath, now made public by the firm, highlight persistent security risks facing the crypto sector.
Leak Reveals Transaction and User Data
The leaked dataset from the breach included email addresses, cryptocurrency payment addresses, certain IP data, and, for around 1,000 records, full names. While Bitrefill emphasized that these details were stored in encrypted form, it acknowledged the possibility that attackers may have obtained decryption keys, treating all compromised data as potentially at risk. Crucially, the company clarified that customer Know Your Customer (KYC) data was not affected, as it is managed externally by a third-party provider and not stored within Bitrefill’s own systems. For most users, only transaction histories and specific technical information were exposed.
Bitrefill confirmed the attack took place on March 1, detailing that the investigation uncovered malicious software traces, and identified the reuse of IP and email addresses previously linked to North Korea-backed cyberattacks.
According to further details from Bitrefill, the attackers did not succeed in accessing user accounts or directly obtaining any financial verification documents. The company reiterated its strong emphasis on safeguarding customer privacy, noting that keeping KYC information off its core platform was a deliberate security measure.
How the Attack Unfolded
The cyberattack originated with the compromise of an employee’s laptop. Intruders leveraged legacy login credentials and old access keys, which should have been retired, to move deeper within Bitrefill’s infrastructure. With this unauthorized access, the attackers transferred assets from the company’s hot wallets and placed suspicious orders through in-platform gift card suppliers. The incident investigation revealed similarities between the malware used, repeatedly traced IP and email addresses, and transaction tracing that matched patterns of the notorious Lazarus Group, linking the hack to the North Korean-backed outfit.
Bitrefill later identified that a critical vulnerability came from retaining an unused access credential in the system. Attackers captured a snapshot of the system, along with the outdated credential, which enabled the breach to spread across the company’s network.
Response and Remediation Efforts
Once the breach was detected, Bitrefill promptly took all systems offline. Following a two-week internal review and security overhaul, the company restored nearly all services by March 17. Payment operations, user accounts, and product inventories became accessible again. Bitrefill announced that it would fully reimburse the financial losses from its own resources, assuring users that customer balances remained untouched and secure during the attack.
In the wake of the incident, Bitrefill initiated partnerships with cybersecurity firms zeroShadow and SEAL911 and began strengthening internal access controls to guard against future threats.
Lazarus Group’s Persistent Threat to Crypto Platforms
The Lazarus Group, a cybercriminal enterprise linked to the North Korean regime, has orchestrated numerous attacks against the crypto industry over the years. Blamed for thefts involving billions of dollars in digital assets, the group is believed to funnel these funds into North Korea’s weapons programs. The recent Bitrefill case underscores Lazarus’s strategy of targeting not only major exchanges but also mid-sized platforms operating within the evolving crypto ecosystem.
In Bitrefill’s situation, storing identity verification data outside the main platform helped contain the damage. However, the breach ultimately hinged on a single neglected account credential, which became the attackers’ gateway to the company’s entire infrastructure—a stark reminder of the disproportionate impact small oversights can have in cybersecurity.
