Crypto-powered commerce platform Bitrefill has disclosed a targeted cyberattack that led to the theft of company funds and limited exposure of customer transaction data, in an incident the firm attributes to the Lazarus Group.

The breach, which occurred on March 1, 2026, was traced back to a compromised employee device that allowed attackers to obtain a legacy credential and gain access to internal systems. From there, the attackers were able to move laterally across parts of Bitrefill’s infrastructure, including production secrets and certain cryptocurrency hot wallets.

Bitrefill said the attackers drained funds from company-controlled wallets and exploited its gift card supply chain through suspicious transactions with suppliers. Investigators also identified limited database queries during the intrusion, suggesting the attackers were probing for valuable assets such as crypto holdings and inventory rather than attempting a full-scale data extraction.

The company detected the breach after noticing unusual purchasing patterns linked to suppliers, prompting an immediate shutdown of affected systems. Services were gradually restored over the following days, with operations largely returning to normal levels by mid-March.

Approximately 18,500 customer purchase records were accessed during the incident, according to the company. The exposed data included email addresses, cryptocurrency wallet details, and metadata such as IP-related information. In around 1,000 cases, customer names were also involved. While these names were encrypted, Bitrefill said the associated encryption keys may have been accessed, leading the company to treat the data as potentially compromised and notify affected users directly.

Despite the breach, Bitrefill emphasized that no customer funds were lost. Gift cards, account balances, and store credits remained secure, and sensitive identity verification data was not affected as it is handled by an external provider.

The financial impact of the attack was limited to company assets, including hot wallet funds and inventory losses. While the exact amount stolen has not been disclosed, Bitrefill said it will absorb the losses using its own capital.

The company has since implemented a series of security upgrades, including tighter access controls, improved monitoring systems, and enhanced incident response procedures. It also worked with cybersecurity firms and blockchain investigators to trace the attack and contain further risks.

Bitrefill attributed the attack to the Lazarus Group based on a combination of technical indicators, including malware signatures, reused infrastructure, and transaction patterns on the blockchain. The group has been linked to multiple high-profile crypto-related attacks in recent years, often targeting centralized platforms and service providers.

Users have not been asked to take immediate action, but the company advised customers to remain vigilant against phishing attempts or suspicious communications that may attempt to exploit the incident.

‍