The leak reveals transaction and user data
Bitrefill confirmed that the attack occurred on March 1, with investigations showing traces of malware and identifying IP and email addresses linked to previously associated North Korean-supported cyber attacks.
According to further information from Bitrefill, the attackers failed to successfully access user accounts or directly obtain any financial verification documents. The company reiterated its strong commitment to protecting customer privacy, emphasizing that storing KYC information outside the core platform is for security reasons.
Review of the attack process
The cyber attack began when an employee's laptop was compromised. The intruders exploited legacy login credentials and outdated access keys to further penetrate Bitrefill's infrastructure. Through this unauthorized access, the attackers transferred assets from the company's hot wallet and placed suspicious orders through gift card vendors on the platform. Investigations revealed that the malware used, recurring IP and email addresses, and transaction patterns matching those of the notorious Lazarus Group provided clues indicating that this incident was related to a North Korean-supported hacking organization.
Bitrefill later discovered that the critical vulnerability stemmed from an unused access credential retained in the system. The attackers captured a snapshot of the system along with the outdated credentials, allowing the attack to spread within the company's network.
Response and remediation measures
Upon discovering the leak, Bitrefill quickly took all systems offline. After a two-week internal review and security overhaul, nearly all of the company's services were restored on March 17. Payment operations, user accounts, and product inventory became available again. Bitrefill announced it would fully compensate for financial losses caused by its own resources and assured users that customer balances were unaffected and secure during the attack.
Following the incident, Bitrefill partnered with cybersecurity firms zeroShadow and SEAL911 to strengthen internal access controls to guard against future threats.
The ongoing threat of the Lazarus Group to crypto platforms
The Lazarus Group is a cybercrime organization linked to the North Korean regime, which has launched multiple attacks on the crypto industry over the years. The group has been accused of stealing billions of dollars in digital assets, believed to be used for North Korea's weapons programs. The recent Bitrefill incident highlights Lazarus's strategy of targeting not only large exchanges but also medium-sized platforms operating within the evolving crypto ecosystem.
In the case of Bitrefill, storing authentication data outside the main platform helped mitigate damage. However, the leak ultimately relied on a neglected account credential, becoming the gateway for attackers to access the entire company network.