Crypto E-Commerce Platform Bitrefill’s Funds Drained In North Korean Cyberattack

Bitrefill, a Sweden-based crypto e-commerce platform, revealed on Tuesday that it fell victim to a cyberattack on March 1, 2026, carried out by suspected North Korean hackers linked to the notorious Lazarus group. 

The company released a post-mortem report detailing the breach, which resulted in drained funds and the exposure of a subset of user data.

18,500 Purchase Records Exposed

In a statement shared on social media platform X, Bitrefill explained that the attack exhibited several indicators consistent with previous incursions attributed to the North Korean Lazarus and Bluenoroff groups. 

The attack was initiated through a compromised employee laptop, from which legacy credentials were extracted. These credentials reportedly allowed the attackers to access sensitive data, including a snapshot containing crucial production secrets, ultimately leading to broader access within Bitrefill’s infrastructure, database, and wallets.

The cyberattack was first detected when the team noticed “suspicious purchasing patterns,” indicating that gift card inventories were being misused. As a result, some of the company’s hot wallets were compromised, with funds being redirected to wallets controlled by the attackers. 

Regarding customer data, Bitrefill emphasized that its investigation did not indicate that customers’ information was the primary target of the breach. 

The firm asserted there is no evidence suggesting the attackers accessed the entire database; rather, they executed a limited number of queries, likely in an attempt to probe the system for valuable data, including cryptocurrency and gift card inventories.

However, the company did confirm that the breach involved access to approximately 18,500 purchase records, which contained limited customer information such as email addresses, cryptocurrency payment addresses, and metadata including IP addresses. 

For around 1,000 purchases, customers had to provide names for specific products, and while this information is encrypted, the attackers may have accessed the encryption keys. 

Bitrefill Strengthens Cybersecurity Post-Attack

In response to the cyberattack, Bitrefill is enhancing its cybersecurity measures. This includes thorough reviews and penetration tests conducted by various external experts, and implementing their recommendations. 

The platform is also tightening internal access controls, improving logging and monitoring for quicker detection, and refining its incident response protocols alongside automated shutdown strategies.

Additionally, Bitrefill has been collaborating with top industry security experts, incident response teams, on-chain analysts, and law enforcement agencies to gain a deeper understanding of the breach and to implement measures that prevent future occurrences. 

In its statement, the firm clarified that operations are returning to normal. Payment processing, stock availability, and account functionalities are stabilizing. The Bitrefill team concluded:

Featured image from OpenArt, chart from TradingView.com