Bitrefill, a leading platform for converting cryptocurrency into gift cards, recently faced a serious cyberattack that compromised its financial assets and some customer data. This incident was reported on the company’s X account, highlighting significant similarities with tactics associated with the Lazarus Group, an infamous North Korean cybercrime organization known for extensive crypto thefts.
The breach occurred on the first of March when cybercriminals accessed an employee’s device and used an old login credential to infiltrate the system. This entry point allowed attackers to extract sensitive production secrets and navigate deeper into Bitrefill's infrastructure, ultimately accessing database components and crypto wallets.
The intrusion was first detected due to irregular purchasing behavior traced back to suppliers. Upon further investigation, Bitrefill confirmed that attackers exploited its gift card inventory and supply chains, in addition to draining wallets. Reacting swiftly, the company initiated a containment strategy that took all systems offline.
What data was compromised in the breach?
Approximately 18,500 purchase records were affected, including customer email addresses, crypto payment addresses, and metadata like IP addresses. About 1,000 transactions involved products necessitating customer names. Although this information was encrypted, it posed a risk of exposure had the attackers accessed the encryption keys. Bitrefill has already notified the customers impacted by this data breach.
Fortunately, Bitrefill reassured its customers that gift cards, store credits, and account balances held by users remained unaffected. The company noted that it does not enforce mandatory know-your-customer checks, and any submitted KYC data for increased purchase limits is managed by an external provider, keeping it off their main systems.
Further analysis revealed multiple links between the attack and the Lazarus Group and its affiliate, Bluenoroff. Indicators included malware correlations, blockchain tracing behaviors, and reused IP addresses and emails related to previous crypto breaches.
In collaboration with security firms and law enforcement, Bitrefill worked diligently to address these issues. The company plans to absorb the financial damages incurred from the cyberattack with its operational funds. Most functions of the platform, including payments, inventory, and customer accounts, have been restored, with transaction volumes returning to pre-incident levels.
To fortify its defenses against future threats, Bitrefill is enhancing its security measures. This includes implementing additional penetration testing, tightening access protocols, improving logging and monitoring systems, and updating incident response procedures—incorporating automated shutdown measures to better protect sensitive data.