Cryptocurrency service provider Bitrefill experienced a cyberattack on March 1st, resulting in the theft of some cryptocurrency funds. Following an in-depth investigation, the company found that multiple indicators of the attack were highly consistent with the modus operandi of the Lazarus/Bluenoroff hacker group, which is associated with North Korea (DPRK).
Bitrefill stated that the attackers exhibited consistency with the group's past attack behaviors in terms of their methods, malware usage, on-chain tracking patterns, and the reuse of IP and email addresses.
Bitrefill Network Attack Incident Details
According to the company's disclosure, the security incident originated from a compromised employee laptop, from which hackers stole old login credentials. Using these credentials, the attackers successfully accessed a snapshot containing sensitive production environment information, thereby expanding their access within Bitrefill's systems and ultimately reaching some databases and cryptocurrency wallets.
Following the incident, Bitrefill has been working closely with multiple external cybersecurity experts, incident response teams, blockchain analysts, and law enforcement agencies.
The company emphasized that there is currently no evidence to suggest that customer data was the primary target of this attack. Based on log analysis, the attackers performed only limited database queries, and their behavior pattern resembled probing operations to identify extractable information, including cryptocurrency and gift card inventory. Bitrefill added that it stores a minimal amount of personal data and does not mandate KYC (Know Your Customer) verification; any verification information is hosted by a third-party service provider.
Nevertheless, Bitrefill confirmed that approximately 18,500 purchase records had their access illegally obtained, including metadata such as email addresses, cryptocurrency payment addresses, and IP addresses. For about 1,000 customers who provided their names to purchase specific products, although the relevant information was encrypted, Bitrefill considered it a potential exposure event due to the risk of encryption keys being compromised and has individually notified these users.
Bitrefill currently believes that customers do not need to take any special actions but advises users to remain vigilant against any unexpected communications related to Bitrefill or cryptocurrency.
To address this incident, Bitrefill has comprehensively enhanced its security measures, including conducting more in-depth external cybersecurity reviews and penetration tests, tightening internal access controls, upgrading monitoring and logging systems, and optimizing incident response processes. The company stated that the financial losses incurred from this incident will be covered by its operating capital, and most services, including payments and inventory management, have been restored to normal.
Destructive Activities of the Lazarus Group
The Lazarus group, widely considered a hacker collective associated with the North Korean government, has launched several high-profile cyberattacks globally in recent years. Its targets are broad, encompassing financial institutions, cryptocurrency exchanges, government departments, and individual users. The group employs diverse attack methods, often utilizing phishing, social engineering, and zero-day exploits, with the ultimate goal of stealing funds to support North Korea's illicit activities. The Bitrefill incident once again underscores the serious threat posed by the Lazarus group in the cybersecurity landscape.