Bitrefill, a cryptocurrency-powered gift card platform, said a recent cyberattack on its systems shows similarities to operations previously attributed to the Lazarus Group, a North Korea-linked hacking collective.
The company disclosed that the incident began in early March after it detected unusual activity affecting its platform, including irregular purchasing behaviour and unauthorised access to parts of its infrastructure. Services were temporarily taken offline as the company investigated the issue and worked to contain the intrusion.
According to the company, the attack originated from a compromised employee’s laptop, which allowed attackers to obtain legacy credentials. These credentials were then used to access internal systems, including a snapshot containing production secrets, before escalating access to broader infrastructure such as databases and cryptocurrency wallets.
Bitrefill said the attackers were able to access approximately 18,500 purchase records. The exposed data included email addresses, IP addresses, and cryptocurrency payment details. In about 1,000 cases, customer names were also included. The company noted that while the data was stored in encrypted form, the attackers may have obtained the keys required to decrypt it.
The company stated that user balances were not affected, although some funds were taken from operational cryptocurrency wallets. It added that the primary objective of the attackers appeared to be financial, targeting cryptocurrency assets and gift card inventory rather than customer information.
In its investigation, Bitrefill identified overlaps with previous campaigns linked to the Lazarus Group and its Bluenoroff subgroup. The company cited similarities in tactics, malware, infrastructure, and blockchain transaction patterns as part of its assessment, though attribution is based on observed indicators rather than confirmed identification.
Bitrefill said most services have since been restored and that it will cover any losses using its own capital. The company also stated that it is implementing additional security measures, including stronger access controls, expanded monitoring, and further testing of its systems.