Bitrefill said a Lazarus Group attack exploited a compromised employee laptop and a legacy credential, enabling access to parts of the company database and several cryptocurrency hot wallets. The breach exposed roughly 18,500 purchase records and encrypted the names of about 1,000 customers, while Bitrefill will absorb the losses and says user balances are safe. The Lazarus Group was also responsible for the largest single crypto heist in history when it hit Bybit early last year for more than $1 billion. The incident began when an employee’s laptop was compromised and used as the initial entry point for the attackers to gain access to a legacy credential.
They eventually reached parts of the company database and several hot wallets. Bitrefill’s security team first noticed the breach through suspicious purchasing patterns involving their suppliers. The attackers were exploiting the company’s gift card stock and supply lines. Simultaneously, funds were drained from hot wallets and moved to wallets controlled by the attackers.
In response, Bitrefill immediately took all systems offline to contain the threat, but the process of safely rebooting the infrastructure took over two weeks due to the scale. The company notes its business model stores very little personal information, does not require mandatory KYC for most users, and higher-tier verification data handled externally was not stored on breached systems. About 1,000 customers who had to provide names for specific products had their data encrypted, and because the encryption keys may have been accessed, Bitrefill is treating that data as potentially compromised and has notified those affected. Bitrefill will absorb the financial losses, and although hot wallets were drained, the company remains well-funded and profitable for several years, with all user balances safe. Bitrefill worked with security entities for on-chain tracing and forensics, tightened access controls, and resumed most services; the post-mortem underscores ongoing crypto security concerns and the need for stronger supply-chain and penetration testing defenses. The company formally attributed the attack to the Lazarus Group based on the malware used, attacker behavior, on-chain fund tracing, and linked IPs and emails previously associated with North Korean operations.
Leave a Reply