North Korean Hackers Target Crypto Retailer Bitrefill in Data Breach

18 March 2026 - 12:00 CET
Bitrefill Lazarus hack

Crypto retailer Bitrefill has reported a targeted cyberattack resulting in the theft of an undisclosed amount of corporate funds and approximately 18,500 customer purchase records. The digital gift card provider attributed the breach to state-sponsored actors operating out of North Korea, citing forensic evidence gathered following the 1 Mar intrusion.

The attackers used malware to compromise an employee laptop, granting them access to internal systems to siphon capital and extract purchase details. Stolen data included customer email addresses, cryptocurrency payment destinations and IP metadata, corporate statements indicate. Bitrefill confirmed it remains well capitalized, will absorb all financial losses from the corporate treasury and advised clients to remain vigilant against unexpected communications.

Bridging crypto and e-commerce

The platform operates as an e-commerce bridge, allowing users to purchase gift cards with digital assets to spend on traditional retail networks such as Amazon, Uber and Netflix. Following the breach, the company engaged external cybersecurity experts to reinforce its internal defences and map the attackers' movements.

The intruders ran a limited number of queries designed to probe the inventory of digital assets and gift cards before executing the theft, the company noted in a public incident report.

The North Korea link

Based on internal postmortem analysis, Bitrefill identified the Lazarus or Bluenoroff hacking syndicates as the probable culprits. The firm cited onchain transaction patterns, specific web addresses and the operational methodology of the attack as evidence supporting the attribution.

Operating under the remit of North Korea's Reconnaissance General Bureau, the two syndicates are recognized among the most prolific state-sponsored threats in the global digital asset ecosystem. North Korean hacking collectives have systematically extracted a cumulative $6.8bn through crypto crime, according to previous blockchain analytics data reported by Sandmark.