North Korean hackers suspected as crypto firm recovers from “hardest hit” in a decade

Published: 18 March 2026
Last updated: 18 March 2026
north korean hacker, flag on screen, military hat, open laptop, blue screen, numbers
N. Korean hacker silhouette with North Korean flag. Bill Hinton/Getty.

Almost three weeks after a costly breach, Bitrefill, known for its crypto gift card business, has almost fully recovered. A North Korean group is suspected to be behind the attack.

According to the company, the attacker's modus operandi, the malware used, on-chain tracing, and reused IPs and email addresses are similar to those of the Democratic People's Republic of Korea’s (DPRK) Lazarus/Bluenoroff group.

"We’ve been in business for over 10 years, and it’s the first time we’ve been hit this hard. But we survived," Bitrefill said.

ADVERTISEMENT

The attack on March 1st resulted in an unspecified financial loss, as wallets were drained and the business was disrupted. Additionally, around 18,500 purchase records were accessed by the attackers.

While most of this data includes only email addresses, crypto payment addresses, and metadata such as IP addresses, around 1,000 transactions were linked to customer names, which are now treated as having been accessed by the criminals. In either case, the company notified these users.

However, they added that, based on the information currently available, they do not believe customers need to take any specific action but should remain cautious about any unexpected communications related to Bitrefill or crypto.

At the time of writing, the company’s status page shows that all its services are available, while only two payment methods – dogecoin and dashcoin – are still disabled. The company also claims that its sales volumes are back to normal.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

In its incident report, Bitrefill said that the attackers compromised an employee's laptop and exfiltrated a legacy credential that gave them access to a snapshot containing production secrets and, subsequently, their broader infrastructure, including parts of their database and certain cryptocurrency wallets.

"The moment we identified the breach, we took all of our systems offline as part of our containment response," the company said, adding that there is no evidence that the attackers extracted their entire database.

ADVERTISEMENT

According to the platform, the company is well-funded, has been profitable for several years, and will absorb losses from its operating capital.

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT