Bitrefill links Lazarus Group to employee laptop hack, stolen funds

Bitrefill didn’t reveal how much money was drained in the March 1 incident but said it will absorb the losses using its operational capital.

Crypto e-commerce store Bitrefill has revealed it was the victim of a cybersecurity attack on March 1, with the methods used closely resembling those of Lazarus Group, North Korea’s notorious hacking organization.

In a post to X on Tuesday, Bitrefill said the hackers used malware, on-chain tracing, and reused IP and email infrastructure to compromise an employee’s laptop, enabling them to drain funds from the company’s hot wallets while also accessing 18,500 purchase records, potentially revealing “limited customer information.”

Bitrefill said BlueNoroff Group, another North Korean hacking organization with close ties to the Lazarus Group, may have also been involved or been the sole attacker.

Bitrefill, which enables customers to spend crypto on real-world products and gift cards, said there was no evidence that the hackers extracted its database, suggesting the motive was financial.

While Bitrefill didn’t disclose how much funds were stolen, the company said it “will absorb” those losses from its operational capital.

"Almost everything is back to normal: payments, stock, accounts," Bitrefill said, adding: “Sales volumes are also back to normal, and we are eternally thankful to our customers for your continued confidence in us."

Despite many crypto platforms strengthening security measures in recent years, sophisticated hackers have continued to find ways to breach their defenses.

Related: Bonk.fun warns hackers hijacked domain in wallet-drainer attack

Lazarus Group remains the crypto industry’s most formidable threat and was behind the largest hack in crypto history, when it stole $1.4 billion from crypto exchange Bybit in February 2025.

Bitrefill said it contacted law enforcement and worked with crypto security firms Security Alliance, FearsOff Security, Recoveris.io and zeroShadow to navigate the cybersecurity incident. Part of its initial response was to turn its systems offline to contain the attack.

Bitrefill said it has already “significantly improved” its cybersecurity practices since the incident. 

Those measures include cybersecurity reviews with security researchers and implementing their recommendations, tightening internal access controls and improving monitoring strategies for faster detection and response.

Magazine: China’s ‘50x’ blockchain boost, Alibaba-linked AI mines Bitcoin: Asia Express

Source: CoinTelegraph