Crypto e-commerce and gift card business Bitrefill said it was the victim of a cyberattack likely perpetrated by the state-sponsored North Korean hacking collective Lazarus Group earlier this month.

"Based on indicators observed during the investigation  - including the modus operandi, the malware used, on-chain tracing and reused IP + email addresses (!) - we find many similarities between this attack and past cyberattacks by the DPRK Lazarus / Bluenoroff group against other companies in the crypto industries," Bitrefill said Tuesday on X, referring to the specialized Bluenoroff hacking subgroup.

According to Bitrefill, the hackers were able to drain some of the company’s hot wallets and place suspicious purchases with its vendors. It is unclear how much was lost through the attack, which was also allegedly able to tap into Bitrefill’s "broader infrastructure, including parts of our database and certain cryptocurrency wallets."

The attack, which allegedly began on March 1, was able to access 18,500 purchase records, potentially revealing "limited customer information," such as email addresses, crypto payment addresses, and metadata including IP addresses.

About 1,000 of those breached records are at a higher risk of having potentially revealed encrypted customer names. The company said it has contacted those individuals.

The Democratic People's Republic of Korea (DPRK) is the biggest and most active threat to crypto security today. Chainalysis estimated DPRK-connected groups and individuals stole a record $2.02 billion via crypto thefts in 2025 — including the largest crypto exploit to date, the $1.5 billion hack of Bybit exchange by Lazarus — out of $3.4 billion in total stolen crypto funds.

Bitrefill said its attack began with a compromised employee laptop, a similar attack vector used in other attacks. Lazarus, for instance, often tries to embed fraudulent IT workers inside crypto services to gain privileged access to information or funds, Chainalysis said.

Crypto exploits often raise questions about corporate data storage of Personally Identifiable Information (PII). Last year, Coinbase disclosed that cyber criminals had bribed the exchange's offshore customer service representatives in order to obtain user data and account management records, in an attack that could result in hundreds of millions of dollars in losses.

Bitrefill noted that it does not require mandatory KYC for most purchases, and in cases where KYC is required, "that data is kept exclusively with our external KYC provider, with no backups in our system."

"Based on our investigation and our logs we don’t have reason to think that customer data was the target of this breach," Bitrefill said. "There is no evidence that they extracted our entire database, only that the attackers ran a limited number of queries consistent with probing to understand what there was to steal, including cryptocurrency and Bitrefill gift card inventory."

The company "will absorb" any losses from its operational capital. It worked with cybersecurity firms zeroShadow, SEAL911, RecoverisTeam, and others during its attack response.

"Almost everything is back to normal: payments, stock, accounts," Bitrefill said, noting it took its systems offline as part of its initial containment response. "Sales volumes are also back to normal, and we are eternally thankful to our customers for your continued confidence in us."