Bitrefill Blames North Korean Lazarus Group for Major March 1 Crypto Exploit, Vows to Cover All User Losses

Crypto payment service Bitrefill has identified the notorious North Korean Lazarus Group as responsible for a major security breach on March 1, linking the attackers to the largest single heist in cryptocurrency history. The company confirmed the exploit originated from a compromised employee laptop, leading to the draining of several corporate hot wallets, but has committed to fully covering all user losses despite not disclosing the exact amount stolen.

Did Bitrefill hide that it got hacked?  

Bitrefill has released a comprehensive post-mortem regarding a security breach that began on March 1. The company formally blamed the attack on the North Korean hacking group known as Lazarus Group or Bluenoroff because of the evidence it examined, based on the specific malware used, the modus operandi of the attackers, on-chain tracing of stolen funds, and the reuse of specific IP and email addresses previously linked to North Korean operations.

The incident began when an employee’s laptop was compromised and used as an initial point of entry for the hackers to gain access to a legacy credential. This credential granted the attackers access to a snapshot of the company’s systems that contained production secrets. 

With these secrets in hand, the Lazarus Group was then able to spread its access across Bitrefill’s infrastructure. They eventually reached parts of the company database and several cryptocurrency hot wallets.

Bitrefill’s security team first noticed the breach through “suspicious purchasing patterns” involving their suppliers. The attackers were exploiting the company’s gift card stock and supply lines. 

Simultaneously, the company realized that funds were being drained from their hot wallets and moved to wallets controlled by the attackers. 

In response, Bitrefill immediately took all systems offline to contain the threat, but due to the fact that the company’s global e-commerce network has thousands of products and dozens of suppliers, the process of safely shutting down and rebooting the infrastructure took over two weeks. 

How much was stolen during the Bitrefill breach?

Bitrefill’s investigation revealed that the hackers were not very interested in stealing customer data; not that they would have been able to. The company emphasized that its business model is designed to store very little personal information. It does not require mandatory “Know Your Customer” (KYC) documentation for most users, and data provided for higher-tier verification is managed by an external provider and was not stored on the systems that were breached.

However, the attackers did access approximately 18,500 purchase records. These records included customer email addresses, cryptocurrency payment addresses, and metadata such as IP addresses. 

About 1,000 of Bitrefill’s customers who had to provide names for specific products had their data encrypted. However, because the hackers may have accessed the encryption keys, Bitrefill is treating that data as potentially compromised and has already emailed those affected.

Regarding financial losses, Bitrefill has announced that it will absorb the impact. Although hot wallets were drained, the company stated it remains well-funded and has been profitable for several years. All user balances remain safe and unaffected. 

Bitrefill worked with several high-profile security entities, including Zeroshadow, SEAL Org, and the Recoveris Team to map the movement of the stolen funds on the blockchain. They also assisted in the forensic cleanup of the company’s servers. 

Bitrefill has since tightened internal access controls to ensure a single compromise cannot lead to a full system breach. The company also improved its shutdown procedures to react faster to suspicious database requests.

The company also stated it is continuing to conduct thorough pentests (penetration tests) with external experts to find any remaining vulnerabilities. Currently, almost all services, including payments, stock replenishment, and account features have returned to normal. 

If you want a calmer entry point into DeFi crypto without the usual hype, start with this free video.