Bitrefill Hit by Suspected Lazarus Group Cyberattack, Exposing Customer Data and Draining Funds Earlier this month, crypto e-commerce platform Bitrefill suffered a cyberattack believed to be linked to North Korea’s Lazarus Group, following patterns observed in previous digital asset sector breaches. The attack began with a compromised employee laptop, granting attackers access to internal systems, including portions of Bitrefill’s database and cryptocurrency wallets. Unauthorized transactions drained funds from hot wallets, and illicit purchases were made through vendor channels, though the exact financial loss remains undisclosed. The breach disrupted operations, prompting Bitrefill to take services offline before containing the incident. Investigators identified strong similarities to past Lazarus operations, including malware, infrastructure, and behavioral tactics. While the attackers accessed approximately 18,500 purchase records containing email addresses, crypto payment details, and IP metadata only around 1,000 records posed a higher risk due to potential exposure of encrypted customer names. Bitrefill has notified affected users in the higher-risk category. The company clarified that most purchases do not require identity verification, limiting the amount of sensitive personal data stored internally. For transactions that do, verification data is handled externally, further reducing exposure. Bitrefill stated there is no evidence the attackers extracted its entire database, only running limited queries to assess potential theft. Lazarus Group’s suspected involvement underscores its role as a persistent threat to the crypto industry, with North Korea-linked actors responsible for over $2 billion in crypto theft in a single year. These attacks often exploit social engineering, compromised insiders, or infected endpoints rather than direct technical vulnerabilities. In Bitrefill’s case, the initial breach aligns with known Lazarus tactics, leveraging employee access to move laterally across systems. Bitrefill has since restored most operations, including payments, inventory, and user accounts, and will cover financial losses from its own capital. The incident highlights the growing risk of operational exposure in crypto security, where human access points and internal systems increasingly serve as primary attack vectors.