Bitrefill says attack shows Lazarus Group patterns after hot wallets drained

Bitrefill has disclosed details of a cyberattack on 1 March 2026, revealing that attackers drained funds from its hot wallets and accessed parts of its internal infrastructure. 

The company said its investigation identified multiple similarities with past operations linked to the Lazarus Group. However, it stopped short of definitively attributing the attack.

The breach was detected after Bitrefill observed unusual purchasing patterns tied to its supplier network, alongside unauthorized transfers from its wallets. The company immediately took its systems offline to contain the incident.

Attack began with compromised employee device

According to Bitrefill, the intrusion originated from a compromised employee’s laptop, which allowed attackers to extract a legacy credential. 

That credential provided access to a snapshot containing production secrets, enabling the attackers to escalate privileges across parts of the company’s infrastructure.

From there, the attackers gained access to internal systems, database segments, and certain cryptocurrency wallets. This ultimately led to fund movements and operational disruptions.

Hot wallets drained as supply channels exploited

Bitrefill said the attackers exploited both its gift card inventory system and crypto infrastructure. 

Suspicious purchasing activity revealed that supply lines were being abused, while hot wallets were simultaneously drained and funds moved to attacker-controlled addresses.

The company did not disclose the total value of funds lost. Still, it confirmed that the breach impacted both its e-commerce operations and wallet balances.

18,500 records accessed, limited data exposure

Database logs showed that approximately 18,500 purchase records were accessed during the breach. The exposed data included:

• Email addresses
• Crypto payment addresses
• Metadata such as IP addresses

For around 1,000 purchases, customer names were included. While this data was encrypted, Bitrefill said the attackers may have accessed the encryption keys and is treating it as potentially exposed.

Affected users in this category have already been notified.

The company emphasized that there is no evidence of a full database extraction, noting that the queries appeared limited and exploratory.

Lazarus-linked patterns flagged in investigation

Bitrefill said its investigation—based on malware analysis, on-chain tracing, and reused infrastructure such as IP and email addresses—revealed similarities with known tactics used by the Lazarus Group and its associated unit, Bluenoroff.

While attribution remains cautious, the overlap in modus operandi and tooling suggests the attack may align with previous campaigns targeting crypto companies.

Systems restored as operations normalize

Following the incident, Bitrefill worked with external cybersecurity firms, on-chain analysts, and law enforcement to contain the breach and restore operations. Most services, including payments and product availability, have since returned to normal.

The company said it remains financially stable and will absorb the losses from operational capital. It also outlined steps taken post-incident, including:

• Strengthened access controls
• Expanded monitoring and logging
• Additional security audits and penetration testing

Bitrefill added that customer data was not the primary target and, based on current findings, users do not need to take specific action beyond remaining cautious of suspicious communications.

Final Summary

• Bitrefill confirmed a cyberattack that drained hot wallets and exposed limited user data, with the investigation pointing to similarities with the tactics of the Lazarus Group.
• The incident highlights ongoing security risks in crypto infrastructure, particularly from sophisticated, state-linked threat actors targeting operational weaknesses.