Bitrefill, a platform that lets users exchange cryptocurrency for gift cards and phone service credit, disclosed Tuesday that it was targeted in a March 1 cyberattack.
According to the firm, it began with a compromised employee laptop, then expanded into broader infrastructure after attackers exfiltrated a legacy credential tied to a snapshot containing production secrets.
March 1st incident report
On March 1, 2026, Bitrefill was the target of a cyberattack. Based on indicators observed during the investigation - including the modus operandi, the malware used, on-chain tracing and reused IP + email addresses (!) - we find many similarities…
The company said its investigation found multiple indicators that it described as similar to prior industry attacks from the North Korean state-sponsored hacking groups Lazarus and Bluenoroff, including malware patterns, on-chain tracing, and reused infrastructure. Bitrefill said it has been working with incident responders, on-chain analysts, and law enforcement as the investigation continues.
On customer impact, Bitrefill said logs show no evidence of full database exfiltration, but a subset of records was accessed. The company said approximately 18,500 purchase records were affected, including limited fields such as email addresses, crypto payment addresses, and metadata including IP addresses.
For roughly 1,000 purchases requiring customer names, Bitrefill said those fields were encrypted but is treating them as potentially accessed because attackers may have obtained relevant keys. The company said users in that subset were notified directly by email.
Bitrefill said it does not require mandatory KYC and stores verification information with an external provider, rather than in internal backups. Based on current findings, the company said it does not believe customers need to take specific action, while advising caution around unexpected Bitrefill- or crypto-related communications.
The company said most operations are now back to normal, including payments, stock, and accounts, and that losses will be absorbed through operational capital. Bitrefill also said it is continuing external security reviews and penetration testing, tightening internal access controls, and upgrading logging, monitoring, and incident-response automation.
