Crypto payments platform Bitrefill has disclosed a cybersecurity breach linked to methods associated with the Lazarus Group, following a March 1 attack that compromised an employee device.
The attackers reportedly used malware and reused infrastructure to access the employee’s laptop, allowing them to drain funds from Bitrefill’s hot wallets and access around 18,500 purchase records.
Bitrefill said the breach appeared financially motivated, with no evidence that its full database was extracted, though limited customer information may have been exposed.
The company did not disclose the total value of stolen funds but confirmed it will absorb the losses using its operational capital.
Investigators suggested the involvement of BlueNoroff Group, a hacking organisation linked to Lazarus, based on similarities in attack patterns and infrastructure.
Bitrefill temporarily shut down systems to contain the incident and has since restored operations, with payments, accounts and sales volumes returning to normal levels.
The company said it has strengthened internal controls, monitoring systems and cybersecurity processes following the breach, working with multiple security firms and law enforcement.
The incident highlights ongoing risks in the crypto sector, where sophisticated state-linked actors continue to target platforms despite improved security measures.