Lazarus Group Drained Bitrefill Hot Wallets on March 1

Bitrefill confirmed that Lazarus Group or its close affiliate BlueNoroff breached its systems on March 1, draining hot wallet funds and accessing customer data.

The crypto e-commerce platform — which lets users spend crypto on gift cards and real-world products — said hackers compromised an employee laptop to deploy malware. From there, attackers drained funds from hot wallets and ran queries on 18,500 purchase records. Bitrefill said there is no evidence the attackers extracted the entire database, only that they probed to understand what was available to steal, including cryptocurrency and gift card inventory.

Bitrefill linked the attack to Lazarus Group through on-chain tracing and reused IP and email infrastructure. BlueNoroff, another North Korean group with close ties to Lazarus, may have been involved or carried out the attack alone. The company turned systems offline immediately to contain the breach, contacted law enforcement, and brought in four security firms: Security Alliance, FearsOff Security, Recoveris.io, and zeroShadow.

Bitrefill said it will absorb losses from its operational capital and has since implemented tighter internal access controls and improved monitoring strategies for faster detection and response. The platform posted on X that almost everything is back to normal: payments, stock, and accounts. Sales volumes have also returned to normal, and the company thanked customers for their continued confidence.

The platform has been operational since 2014, growing from a Bitcoin airtime service to a global crypto spending tool spanning five continents without venture capital funding. Bitrefill engaged security researchers to conduct cybersecurity reviews and implemented their recommendations after the March 1 breach.