- Attackers compromised an employee laptop on March 1, extracted legacy credentials containing production secrets, and escalated access to Bitrefill’s hot wallets, database, and gift card purchasing systems.
- Approximately 18,500 purchase records were accessed, including email addresses and crypto payment addresses.
- Bitrefill’s investigation found forensic indicators, including malware signatures, on-chain fund tracing, and reused IP addresses, consistent with DPRK state-sponsored groups Lazarus and Bluenoroff.
Bitrefill said on March 17 that a cyberattack earlier this month compromised its hot wallets, parts of its database, and gift card purchasing systems after attackers gained access through a single employee laptop and used legacy credentials containing production secrets.
The breach began on March 1, when the attackers compromised the laptop and recovered a credential that gave them access to a snapshot with sensitive production data.
Bitrefill said the intruders then moved deeper into its infrastructure, drained cryptocurrency from hot wallets, and exploited gift card supply channels by making fraudulent vendor purchases.
The company first described the disruption as a technical issue before later confirming it was a security incident.
Related: BlackRock Signals Cautious Expansion of Crypto ETFs Despite New Staked Ether Fund
Bitrefill said it detected the attack after spotting unusual purchase patterns from some suppliers and realising its gift card stock and supply lines were being abused.
It shut down its systems and took services offline for about four days while working with external security researchers, incident response firms, blockchain analysts, and law enforcement.
The company said about 18,500 purchase records were accessed. Those records included email addresses, crypto payment addresses, and metadata such as IP addresses. Around 1,000 records also contained customer names in encrypted form.
Bitrefill said it is treating those names as potentially exposed because the attackers may have obtained the encryption keys. It added that it does not store mandatory KYC data and that any verification information is held by external providers.
Related: SEC and CFTC Sign Pact to Coordinate Crypto Oversight
Bitrefill Blames North Korea
Bitrefill said its investigation found indicators consistent with North Korean-linked groups Lazarus and Bluenoroff, citing similarities in tactics, malware, on-chain traces, and reused IP and email addresses.
The company did not present that attribution as confirmed, and no government agency or independent forensic firm has publicly verified it.
Also, the company did not disclose how much cryptocurrency was stolen, but said it remains profitable, well funded, and able to absorb the losses from operating capital. Most services, including payments, gift card inventory, and customer accounts, have since been restored.
Credit: Source link
