Overview
- Bitrefill says the March 1 breach began with a compromised employee laptop where attackers extracted a legacy credential that unlocked production systems, database segments, and certain hot wallets.
- Attackers drained an undisclosed amount from hot wallets and abused gift card supply lines, with the intrusion first flagged by irregular supplier purchasing activity.
- Roughly 18,500 purchase records were accessed, including emails, crypto payment addresses, and IP metadata, and about 1,000 encrypted customer names may have been exposed, with affected users notified.
- The company took systems offline during containment, engaged external responders and law enforcement, restored most services with sales back to normal, and will cover the losses from operational capital.
- Bitrefill cites malware overlaps, reused IP and email infrastructure, and on-chain patterns consistent with Lazarus and Bluenoroff, and it is implementing tighter access controls, expanded monitoring, audits, and penetration testing.