Crypto Platform Bitrefill Hit In Suspected Lazarus Attack; Here’s What Happened

Cryptocurrency payments platform Bitrefill has disclosed a security breach that resulted in some company funds being drained and a subset of user data exposed. The incident is believed to be linked to North Korean hacking groups, including the Lazarus Group. Despite the attack, the company says customer balances and core services remained unaffected.

Bitrefill funds drained in suspected Lazarus attack

According to the disclosure shared by Bitrefill in an X post on March 17, attackers exploited vulnerabilities to access internal systems and move company funds.

The breach, which happened on March 1, is consistent with patterns seen in previous attacks attributed to North Korean actors, who have increasingly targeted crypto infrastructure.

Industry data suggests such groups have been responsible for billions in stolen crypto in recent years. As the company said:

“Based on indicators observed during the investigation – including the modus operandi, the malware used, on-chain tracing and reused IP + email addresses (!) – we find many similarities between this attack and past cyberattacks by the DPRK Lazarus / Bluenoroff group against other companies in the crypto industries.”

User impact limited, data leak confirmed

Bitrefill stated that, even though a subset of user information was exposed, critical assets remained secure. No user gift cards, account balances, or KYC-related data were affected, according to the company.

In response, the platform was temporarily taken offline before being restored with assistance from security experts. The platform stressed that:

“The moment we identified the breach, we took all of our systems offline as part of our containment response.”

“Customers did not take a hit”

The company emphasized that the damage was contained. In its statement, Bitrefill said it took a hit but its customers didn’t, highlighting that losses were limited to company funds rather than user holdings. Specifically:

“Based on our investigation and our logs we don’t have reason to think that customer data was the target of this breach. There is no evidence that they extracted our entire database, only that the attackers ran a limited number of queries consistent with probing to understand what there was to steal, including cryptocurrency and Bitrefill gift card inventory.”

Phishing risks and ongoing monitoring

The exposure of user data raises concerns about potential phishing attempts. Users are being advised to monitor their accounts and remain cautious of suspicious communications.

Meanwhile, analysts are watching on-chain activity for any movement of the stolen funds from Bitrefill, which could provide further insight into the attackers’ methods and their connection to the infamous Lazarus group.