Bitrefill, which offers crypto spending cards and e-commerce services, published its comprehensive report containing the details of the large-scale cyber attack that occurred on March 1, 2026. The company announced that approximately 18,500 transaction records were exposed in the attack and assets in multiple hot wallets were seized.
Leaked Data Details
In the data set exposed as a result of the attack; In addition to email addresses, cryptocurrency payment addresses and some IP information, it also contains name information for approximately 1,000 records. Although Bitrefill states that this data is stored encrypted, it considers all data risky, assuming that attackers may have accessed the encryption keys. In the company’s statement, it was noted that mandatory customer authentication (KYC) data was not compromised. Such sensitive data was not affected by the attack because it was not kept in Bitrefill’s own infrastructure and was managed through an external service provider. For most users, the only thing left open was transaction history and some technical information.
Bitrefill stated that the attack took place on March 1, and that during the investigation of the incident, traces of crime, the malware used, and the reuse of IP and e-mail addresses previously detected in North Korea-related cyber attacks were detected.
According to the information provided by the company, the attackers did not have the opportunity to capture user accounts or direct financial verification documents. Bitrefill emphasized once again that they prioritize the protection of customers’ personal information and therefore KYC data is kept outside their systems.
Development of the Attack
The cyberattack began when an employee’s laptop was compromised. Having gained access, attackers advanced to other areas of the company’s infrastructure using an old login and keys that had not been deprecated. With the authorizations they obtained, the attackers transferred assets in Bitrefill’s hot wallets and placed suspicious orders through gift card suppliers on the platform. In the review; As a result of the software used, the same IP and e-mail addresses detected more than once, and the tracing of the funds, findings similar to the North Korea-linked Lazarus Group invoices were found.
Bitrefill stated that the biggest vulnerability that caused the incident occurred when an identity information that should have been deactivated continued to be kept in the system. The compromise of the system snapshot and this old credential by the attackers allowed the breach to spread throughout the company’s entire infrastructure.
Response Process and Results
Bitrefill took all of its systems offline shortly after detecting the attack and announced that almost all services were back to normal on March 17, after an investigation period of approximately two weeks. Company; He stated that payments, user accounts and product stocks are accessible again. In addition, the company announced that it would cover all the financial losses from its own resources. It was stated that user balances were not affected by the attack and were safe.
Following the attack, Bitrefill stated that it started working with cyber security companies zeroShadow and SEAL911 and that efforts to strengthen internal access controls are continuing.
Lazarus Group’s Role in the Crypto Ecosystem
Lazarus Group is known as a cybercriminal structure affiliated with North Korea that has carried out numerous attacks in the crypto industry over the years. It is stated that the group, which is associated with the incidents in which billions of dollars of crypto assets were seized, used these funds to finance North Korea’s weapons programs. The latest incident appears to continue Lazarus’ previous trend of targeting mid-sized platforms in addition to major exchanges.
In the Bitrefill incident, keeping authentication data off the platform prevented the damage from escalating further. However, the fact that a single negligent account information became the gateway to the entire company infrastructure stood out as one of the most striking points of the incident.
