Lazarus Group Strikes Again! Bitrefill Employee's Laptop Compromised, Hot Wallet Funds Stolen

Cryptocurrency e-commerce platform Bitrefill disclosed on March 18 that on March 1, the company was subjected to a cybersecurity attack. The attack method closely matches the known tactics of North Korean hacker group Lazarus Group. Hackers infiltrated an employee’s laptop, which allowed them to steal funds from the company’s hot wallet and gain access to 18,500 purchase records.

Attack Path: Lateral Movement from Employee Laptop to Hot Wallet

Bitrefill’s disclosure reveals a multi-layered infiltration route: the hackers first compromised an employee’s device with malware, then used this as a springboard to lateral move into the company’s hot wallet. This “endpoint device as entry point, core assets as target” approach aligns with the known attack techniques of Lazarus Group and its associated organization BlueNoroff Group.

Bitrefill indicates that BlueNoroff Group may be involved in this incident, and possibly the sole attacker. Regarding data access, the attackers performed limited queries on the purchase records database, primarily to “detect assets that could be stolen, including cryptocurrencies and gift card inventories.” Bitrefill emphasizes that there is no evidence the attackers extracted the entire database; the motive appears to be financial theft.

Customer Impact: Limited Data Leakage, Full Service Restored

The attackers accessed 18,500 purchase records. Bitrefill states this may have led to a “limited leak of customer information,” but no signs of large-scale database exfiltration were found. Bitrefill publicly announced: “Almost all services have been restored—payments, inventory, and accounts—and sales levels have returned to normal.”

Security Response: Four Cybersecurity Firms Involved, Comprehensive System Upgrades

Following the incident, Bitrefill implemented several measures:

• Immediate Containment: Quickly shut down relevant systems to prevent further spread of the attack.
• Law Enforcement Notification: Contacted relevant authorities.
• Third-Party Security Collaboration: Partnered with Security Alliance, FearsOff Security, Recoveris.io, and zeroShadow for investigation.
• System Hardening: Implemented security experts’ recommendations, strengthened internal access controls, and improved monitoring mechanisms to reduce detection and response times.

Bitrefill states that since the incident, its cybersecurity measures have been “significantly improved.”

Lazarus Group Background: From Bybit’s $1.4 Billion to Bitrefill

Lazarus Group is one of the most destructive threat organizations in the cryptocurrency industry, with close ties to the North Korean government. In February 2025, Lazarus Group was accused of orchestrating the largest single theft in crypto history, stealing up to $1.4 billion worth of digital assets from the exchange Bybit. This remains the largest known crypto hacking incident to date.

This incident at Bitrefill is the latest attack attributed to Lazarus Group or its affiliates following the Bybit theft, further demonstrating that the organization continues to primarily target crypto companies’ employee devices for infiltration.

Frequently Asked Questions

Q: What is the core method of the Bitrefill attack?
A: The attack occurred on March 1. Hackers used malware, on-chain tracking, and reused IP addresses and email infrastructure to infiltrate an employee’s laptop, gain access to the hot wallet, steal funds, and perform limited queries on 18,500 purchase records.

Q: Why does Bitrefill attribute this attack to Lazarus Group?
A: The techniques used—including malware deployment, on-chain tracking, and infrastructure reuse—closely match Lazarus Group’s known attack patterns. Additionally, the closely related BlueNoroff Group may have been involved or the sole attacker.

Q: Have user personal data been widely leaked?
A: Bitrefill states there is no evidence that the attackers extracted the entire database. They only performed limited queries aimed at identifying assets for theft. However, since 18,500 purchase records were accessed, some limited customer information may have been exposed, and users are advised to watch for any suspicious activity.