Bitrefill has linked a March 1 cyberattack to North Korea’s Lazarus Group, revealing how a single compromised employee laptop allowed attackers to infiltrate its systems, drain funds, and access sensitive records.

The breach began when hackers deployed malware on an employee device, exposing legacy credentials that unlocked access to Bitrefill’s internal infrastructure.

From there, attackers were able to obtain production keys, move laterally across systems, and ultimately drain funds from the company’s hot wallets.

The methods used — including on-chain tracing and reused IP and email infrastructure — closely matched tactics associated with Lazarus and its affiliate BlueNoroff Group, both known for highly targeted, financially motivated attacks on crypto platforms.

From one device to full system access

What started as a single endpoint compromise quickly escalated into a broader infrastructure breach. With access to internal systems, attackers probed Bitrefill’s environment, focusing on cryptocurrency holdings and its gift card supply chain.

The intrusion was first detected through unusual purchasing patterns among suppliers, signaling that the attackers were actively exploiting inventory while siphoning funds to external wallets.

Bitrefill responded by taking its systems offline — a complex move for a global platform handling thousands of products and payment flows — in order to contain the damage.

The breach also exposed approximately 18,500 purchase records, including email addresses, crypto payment details, and IP metadata. Around 1,000 of those records contained encrypted usernames.

However, the company emphasized there is no evidence that its full customer database was extracted, noting that attackers ran only limited, targeted queries rather than executing a large-scale data dump.

Financial hit contained, operations restored

While Bitrefill has not disclosed the exact amount of cryptocurrency stolen, it confirmed that all losses will be covered using its operational capital, shielding users from direct financial impact.

The company has since restored most of its services, with payments, inventory, and user accounts back online. Sales volumes have also returned to normal levels, suggesting customer confidence has remained intact despite the incident.

Bitrefill described the attack as its first major security breach in more than a decade of operations, stressing that it remains profitable and financially stable enough to absorb the losses.

Lazarus threat highlights evolving attack vectors

The incident underscores a persistent reality in crypto security: even as platforms strengthen defenses, sophisticated state-linked actors continue to exploit human and operational vulnerabilities.

The Lazarus Group has long been considered the most formidable hacking force in the crypto space, previously targeting major platforms and executing billion-dollar-scale exploits.

In this case, the attack did not rely on smart contract flaws or protocol weaknesses, but instead on a compromised device and credential exposure — a reminder that off-chain security remains a critical weak point.

Security overhaul underway

In response, Bitrefill has significantly upgraded its cybersecurity posture. The company is conducting extensive penetration testing with external experts, tightening internal access controls, and enhancing system monitoring to detect threats earlier.

It has also refined its incident response processes, including automated shutdown mechanisms to limit future damage.

Working alongside law enforcement, on-chain analysts, and security firms, Bitrefill is continuing its investigation while urging users to remain cautious of suspicious communications.

The breach ultimately highlights a sobering lesson for the industry: in an environment where billions can be moved instantly, even a single compromised laptop can open the door to a full-scale attack.