0:00
0:00
Subscribe to Bankless or sign in
According to an incident report published today, crypto gift card issuer Bitrefill was victimized by a North Korean cyberattack on March 1, 2026. Company funds were drained in the attack, and a subset of user data was exposed.
What's the Scoop?
- Hackers Attack: According to Bitrefill's incident report, a compromised employee laptop allowed hackers to exfiltrate a legacy credential, which was leveraged to access company infrastructure, including parts of Bitrefill's database and certain cryptocurrency wallets. Analysis revealed similarities between this attack and past cyberattacks by the DPRK's Lazarus and Bluenoroff groups against other companies in the crypto industries.
- Incident Trail: Bitrefill initially noticed suspicious purchasing patterns with certain suppliers, before finding that gift card stocks and supply lines were being exploited. At this time, Bitrefill also discovered that the attacker had drained funds from its hot wallets.
- Data Breach: While Bitrefill maintains that customer data was not the target of this breach and claims there is no evidence its entire customer database was extracted, the company acknowledges that the attacker misappropriated their access to query a select number of purchase records.
- User Fallout: According to Bitrefill, 18.5k purchase records were accessed by the attackers, which contained customer email addresses, crypto payment addresses, and metadata (including IP addresses). Approximately 1k purchase records included customers' names in encrypted formats, but were potentially exposed (impacted customers in this category were directly notified of the breach via email).
March 1st incident report
— Bitrefill (@bitrefill) March 17, 2026
On March 1, 2026, Bitrefill was the target of a cyberattack. Based on indicators observed during the investigation - including the modus operandi, the malware used, on-chain tracing and reused IP + email addresses (!) - we find many similarities…
