Bitrefill Says Cyberattack Exposed About 18,500 Purchase Records

Bitrefill said the March 1, 2026 breach linked to Lazarus Group drained some hot wallets, exposed limited customer purchase data, and began with a compromised employee laptop and legacy credentials.

44d ago

Fact Check

The claim is directly supported by an official statement from Bitrefill's X account and corroborated by secondary news reports (Bitget News). The details regarding the date (March 1, 2026), the number of records (18,500), the cause (compromised laptop), and the attribution (Lazarus/Bluenoroff) all align perfectly across sources.

Summary

Bitrefill said a March 1, 2026 cyberattack linked to North Korea’s Lazarus Group compromised parts of its infrastructure, drained some hot wallets, and exposed about 18,500 purchase records. The company said the breach began with a compromised employee laptop that revealed legacy credentials, allowing attackers to access production keys, exploit gift card supply chains, and move funds before systems were taken offline. Bitrefill said about 1,000 records included encrypted usernames or names for specific products, affected users were notified, and the company will cover losses from operational capital while working with security researchers, incident response teams, on-chain analysts, and law enforcement.

Terms & Concepts

Hot wallet: A cryptocurrency wallet connected to the internet, allowing faster transactions but increasing exposure to cyberattacks compared with offline storage.
Lazarus Group: A hacking group widely associated with North Korea and repeatedly linked by researchers and companies to major cryptocurrency thefts and cyber intrusions.
On-chain analysts: Specialists who examine blockchain transaction data to trace how digital assets move between addresses and identify suspicious fund flows.