Crypto e-commerce platform Bitrefill accuses North Korea of stealing 18,500 purchase records

Steven

Crypto e-commerce platform Bitrefill accuses North Korea of stealing 18,500 purchase records

Published: 2026-03-18T01:54:00+00:00

Summary

Bitrefill says it was hacked on 1 March and that attackers tied to North Korea’s Lazarus Group accessed around 18,500 purchase records. The stolen records reportedly included email addresses, cryptocurrency payment addresses and metadata such as IP addresses.

The company traced initial access to a compromised employee laptop and a leaked legacy credential that allowed the attackers to access a snapshot of production secrets, escalate privileges, and reach parts of the database and some cryptocurrency wallets. Bitrefill detected the breach after spotting suspicious purchase patterns, took systems offline, and restored service on 5 March after investigations involving law enforcement and security specialists.

Some company wallets were drained and funds moved to attacker-controlled wallets; Bitrefill has not disclosed the amount and says it will absorb losses through operational capital. The firm describes the queries as limited probing consistent with attempts to find cryptocurrency and gift-card inventory rather than wholesale exfiltration of its entire user database.

Key Points

  • Attack date: 1 March; Bitrefill restored site and app on 5 March after taking systems offline for investigation.
  • Attribution: Bitrefill attributes the incident to actors linked to North Korea’s Lazarus Group based on tactics, malware, IPs and blockchain activity.
  • Data accessed: ~18,500 purchase records containing emails, crypto payment addresses and metadata including IP addresses.
  • Initial vector: compromised employee laptop and a legacy credential that exposed a snapshot with production secrets.
  • Impact: some cryptocurrency wallets were drained; the company has not disclosed the value lost and will cover losses from operational capital.
  • Broader trend: Lazarus and North Korea-linked groups have stolen large sums of crypto over recent years, with Chainalysis and UN reports documenting billions taken.

Context and Relevance

This incident illustrates the persistent risk state-linked cyber groups pose to cryptocurrency ecosystems and crypto-enabled commerce. Bitrefill’s model—allowing users to buy gift cards and pay bills with crypto—makes it a lucrative target because attackers can convert stolen crypto into goods or spendable credit. The breach highlights common weaknesses: legacy credentials, compromised endpoints (employee laptops) and the high value of private keys and production secrets.

For security teams and crypto businesses, the case reinforces the need for strong credential hygiene, endpoint protection, rapid anomaly detection on purchasing/supply patterns, and robust key-management practices. For users, it underlines privacy and exposure risks when platforms store payment metadata tied to crypto addresses.

Why should I read this?

Because if you use crypto, sell gift cards, run a crypto-friendly checkout or just care about online security, this is the sort of messy, real-world hack that shows exactly how attackers get in and what they go after. Short story: a dodgy laptop + an old password = stolen wallets and exposed customer records. Read the details so you know what to lock down.

Author style

Punchy: this isn’t just another breach — it’s another data point in a steady, state-backed campaign against crypto infrastructure. If you care about safeguarding funds or customer data, the specifics here (legacy creds, endpoint risk, probing behaviour) are worth your attention now, not later.

Source

Source: https://therecord.media/crypto-platform-accuses-north-korea-hack