Bitrefill Cyberattack Linked to North Korea's Lazarus Group Exposes Customer Data

Severity: High (Score: 75.5)

Sources: Bleepingcomputer, Cryptorank, Nknews, Scworld, Cryptobriefing

Summary

Bitrefill, a crypto e-commerce platform, disclosed a cyberattack that began on March 1, 2026, attributed to North Korea's Lazarus Group. The breach started with a compromised employee laptop, allowing attackers to access sensitive infrastructure, including parts of the database and cryptocurrency wallets. Approximately 18,500 purchase records were affected, revealing email addresses, crypto payment addresses, and metadata like IP addresses. Out of these, around 1,000 records containing encrypted customer names were also potentially accessed. Bitrefill detected the breach through unusual supplier purchasing patterns and took all systems offline to contain the incident. The company is working with incident responders and law enforcement while restoring normal operations. They plan to absorb the financial losses through operational capital and are enhancing their security measures. Key Points: • Bitrefill was attacked by North Korea's Lazarus Group, starting on March 1, 2026. • The breach affected 18,500 purchase records, including sensitive customer data. • Bitrefill is enhancing security protocols and absorbing financial losses from the attack.

Key Entities

• BlueNoroff (apt_group)
• Lazarus (apt_group)
• Lazarus Group (apt_group)
• Data Breach (attack_type)
• Supply Chain Attack (attack_type)
• Axie Infinity (company)
• Bitrefill (company)
• Bybit (company)
• Ronin (company)
• Democratic People's Republic Of Korea (country)
• North Korea (country)
• Sweden (country)
• T1003 - OS Credential Dumping (mitre_attack)
• T1068 - Exploitation for Privilege Escalation (mitre_attack)
• T1078 - Valid Accounts (mitre_attack)
• T1195 - Supply Chain Compromise (mitre_attack)