BlockBeats report: On March 18, the crypto e-commerce platform Bitrefill released an incident report stating that the company suffered a cyberattack on March 1, 2026. The investigation found that the attack method, malware, and on-chain fund movements closely resemble those used by the North Korean hacking group Lazarus Group/Bluenoroff in previous attacks against the crypto industry.
Bitrefill stated that the attack originated from a compromised employee laptop, where hackers stole old credentials to gain access to the system and obtain a snapshot containing production keys, subsequently escalating privileges to access parts of the database and cryptocurrency wallets, and transferring funds from the hot wallet.
After detecting abnormal gift card purchases and exploitation of inventory, the company confirmed a breach and immediately shut down all systems for emergency response. Regarding the data, Bitrefill stated that the attackers accessed approximately 18,500 purchase records containing email addresses, cryptocurrency payment addresses, and IP information; around 1,000 orders included encrypted names, and affected users have been notified.
The company stated that there is currently no evidence that the full database was compromised, and believes customers do not need to take additional action; however, it advises vigilance against any suspicious communications impersonating Bitrefill or related to crypto assets. The platform said it will continue to enhance security audits, access controls, and monitoring systems to prevent similar incidents in the future.