Bitrefill Cyberattack: Lazarus Group Suspected After Hack Exposes 18,500 Records

Bitrefill cyberattack linked to Lazarus Group exposed 18,500 records after employee laptop breach, while company restored services, improved security, and covered losses fully.

Crypto payments company Bitrefill reported a serious cyberattack on March 1, 2026. The company said the attack could be related to the Lazarus Group. Hackers gained access to systems, stole money, and accessed thousands of records of orders. However, Bitrefill said operations are now mostly restored, and losses will be covered.

Hack Began From Compromised Employee Laptop

Bitrefill said the attack began when hackers accessed an employee laptop. The attackers stole old login information on the device. Because of this reason, they got into internal systems and accessed secret data. Soon after, they gained access to parts of the company database as well as some crypto wallets.

Hackers reached a system snapshot that contained production secrets. After that, they increased their access to other services. This enabled them to move within the company network. As a result, they were able to see records and manage some payment systems.

Bitrefill became aware of the issue after strange buying activity popped up. Some suppliers experienced weird orders using gift cards. At the same time, the company had seen some hot wallets losing funds. Therefore, the team immediately checked the system and confirmed a breach.

Once the attack was confirmed, Bitrefill shut down all systems immediately. This step helped prevent additional damage from occurring. The company said it was not easy to turn off the services as it operates a global store. Bitrefill sells thousands of products in many countries with many ways of payment.

Security and law officers assisted in the investigation of the case. Bitrefill collaborated with Security Alliance and zeroShadow during the response. The team compared the attack with the previous hacks. They discovered that there were strong similarities to previous crypto hacks.

About 18,500 Records Accessed but Full Database Not Stolen

Bitrefill said about 18,500 purchase records were accessed during the attack. These records consisted of email addresses and crypto payment addresses. Some logs also contained IP address details. However, the company said the hacker or hackers did not copy the entire database.

Around 1,000 orders also had customer names on them. These names were stored in the encrypted form. Still, the company said hackers may have stolen the keys. Therefore, the users were notified by email as a safety step.

Bitrefill said it doesn’t store much personal data. The company does not require full identity check for most purchases. When verification is required, data remains with an outside provider. Because of this design, most personal data was not within Bitrefill’s systems.

The attack may be related to the Lazarus group, investigators believe. The tools, malware and network addresses were similar to those in the past. In addition, funds stolen were moved in a way seen before in North Korean attacks. These signs made experts think of the same group.

Bitrefill said that it has improved after the incident. The company included added stronger access rules and better monitoring tools. It also began new security tests with external experts. Officials said that the company will continue upgrades to keep users safe in the future.

The post Bitrefill Cyberattack: Lazarus Group Suspected After Hack Exposes 18,500 Records appeared first on Live Bitcoin News.