Bitrefill, the Swedish crypto e-commerce platform, has revealed that it was targeted in a cyberattack on March 1, 2026, by hackers believed to be connected to the infamous Lazarus group from North Korea. The attack has resulted in drained funds and a breach of user data, prompting Bitrefill to issue a post-mortem report detailing the security failure.
In a statement shared on the social media platform X, Bitrefill indicated that the attack bore hallmarks consistent with previous incidents attributed to the Lazarus and Bluenoroff hacker groups. The breach was initiated through a compromised employee laptop, compromising legacy credentials that enabled the attackers to gain access to critical internal systems, databases, and wallets.
Suspicious purchasing patterns alerted the team to the ongoing cyberattack, leading to the discovery that gift card inventories were being misused. Some of Bitrefill’s hot wallets were accessed without authorization, resulting in funds being diverted to addresses controlled by the attackers.
Fortunately, Bitrefill clarified that customer data does not appear to have been the primary focus of the cybercriminals. They stated there is currently no evidence suggesting a complete database breach; instead, the attackers conducted limited queries, seemingly probing for valuable information, including cryptocurrency and gift card inventories.
Nonetheless, the company did confirm access to approximately 18,500 purchase records, which included limited customer information such as email addresses, cryptocurrency payment addresses, and metadata, including IP addresses. Additionally, for around 1,000 purchases, customers’ names were provided for specific products, raising concerns since this information is encrypted, although the attackers may have accessed the encryption keys.
Strengthening Security Measures
In the aftermath of the attack, Bitrefill is taking decisive steps to enhance its cybersecurity measures. The company is implementing thorough reviews and penetration tests coordinated by various external experts and is committed to following their recommendations closely.
Improvements include tightening internal access controls, enhancing logging and monitoring for faster threat detection, and refining incident response protocols alongside automated shutdown strategies. To bolster its defenses, Bitrefill is also working alongside top industry security experts, incident response teams, on-chain analysts, and law enforcement agencies.
In a positive note for users, Bitrefill reassured that operations are returning to normal. Payment processing is stabilizing, and stock availability and account functionalities are being restored. The firm’s leadership concluded their statement by emphasizing their resilience: “Bitrefill was designed to limit the impact if something like this ever happened. We remain well funded, have been profitable for several years, and will absorb these losses from our operational capital. We will continue to do our best to continue deserving your trust.”
As the incident demonstrates the ongoing threats facing crypto companies, it underlines the critical necessity for robust cybersecurity measures to protect both corporate assets and user data.
