The Bitrefill hack began with a compromised laptop belonging to an employee. According to a post on Bitrefill's social media, the hackers successfully stole old login credentials, gaining access to internal systems. These stolen login details helped the attackers penetrate the internal systems and delve deeper into the company's infrastructure. From there, they accessed parts of the database and the encrypted hot wallet, allowing them to transfer funds to external addresses. An incident report dated March 1, 2026, indicated that Bitrefill was targeted in a cyber attack. Based on indicators observed during the investigation, including tactics, malware used, on-chain tracking, and repeated IP + email addresses, we found many similarities… — Bitrefill (@bitrefill) March 17, 2026.
When the attack occurred, the company first noticed unusual activity as hackers began to abuse its gift card system. At the same time, funds were being transferred from the hot wallet. Once discovered, Bitrefill quickly took all systems offline to prevent further damage and ensure the platform's security. Bitrefill confirmed that approximately 18,500 purchase records were accessed. This data includes email addresses, cryptocurrency wallet addresses, and technical details such as IP addresses. In about 1,000 cases, customer names may also have been exposed. The company stated that this data was encrypted but is still considered a potential leak.
Despite the breach, Bitrefill indicated that it stores very little personal data and does not require full KYC. Any sensitive user data is held by external providers rather than in its own systems. Security experts suspect that the attack may have been orchestrated by the North Korean-linked “Lazarus Group.” These similarities include malware patterns, reused systems, and on-chain fund flows. Bitrefill has initiated an investigation following the hack. Additionally, in a post, Bitrefill stated that it has begun collaborating with cybersecurity experts, blockchain analysts, and law enforcement to investigate the breach. The company is currently improving its systems by adding stronger controls, more robust monitoring, and faster response plans.
For users, Bitrefill stated that no immediate action is required but advised vigilance against phishing emails or suspicious messages. On March 1, 2026, Bitrefill suffered a cyber attack where hackers exploited stolen employee login credentials to access internal systems, draining the cryptocurrency hot wallet and viewing approximately 18,500 user purchase records. Bitrefill stores very little personal data and does not require full KYC. While email addresses and wallet addresses were leaked, sensitive information is held by external providers, reducing the risk of identity theft. Security experts suspect that the North Korean-linked “Lazarus Group” is responsible for the attack. Bitrefill noted that this attack matches their patterns, including specific malware signatures and methods of transferring stolen cryptocurrency funds. Users should remain vigilant, watch for phishing emails, avoid suspicious links, and monitor their accounts.
