Crypto Gift Card Issuer Bitrefill Discloses Hack, Assigns Blame to North Korea

According to an incident report published today, crypto gift card issuer Bitrefill was victimized by a North Korean cyberattack on March 1, 2026. Company funds were drained in the attack, and a subset of user data was exposed.

What's the Scoop?

• Hackers Attack: According to Bitrefill's incident report, a compromised employee laptop allowed hackers to exfiltrate a legacy credential, which was leveraged to access company infrastructure, including parts of Bitrefill's database and certain cryptocurrency wallets. Analysis revealed similarities between this attack and past cyberattacks by the DPRK's Lazarus and Bluenoroff groups against other companies in the crypto industries.
• Incident Trail: Bitrefill initially noticed suspicious purchasing patterns with certain suppliers, before finding that gift card stocks and supply lines were being exploited. At this time, Bitrefill also discovered that the attacker had drained funds from its hot wallets.
• Data Breach: While Bitrefill maintains that customer data was not the target of this breach and claims there is no evidence its entire customer database was extracted, the company acknowledges that the attacker misappropriated their access to query a select number of purchase records.
• User Fallout: According to Bitrefill, 18.5k purchase records were accessed by the attackers, which contained customer email addresses, crypto payment addresses, and metadata (including IP addresses). Approximately 1k purchase records included customers' names in encrypted formats, but were potentially exposed (impacted customers in this category were directly notified of the breach via email).