**Bitrefill**, a crypto-powered gift card store, believes that the cyberattack they experienced earlier this month was likely carried out by North Korean hackers belonging to the **BlueNoroff** group. ### Attribution to BlueNoroff During the investigation, **Bitrefill** observed indicators consistent with previous attacks attributed to the North Korean threat actor, including similar tactics, malware, and reused IP and email addresses. "Based on indicators observed during the investigation - including the modus operandi, the malware used, on-chain tracing and reused IP + email addresses (!) - we find many similarities between this attack and past cyberattacks by the DPRK **Lazarus** / **BlueNoroff** group against other companies in the crypto industries," **Bitrefill** stated. ### Bitrefill's Business **Bitrefill** operates as an e-commerce platform that allows users to purchase gift cards for various stores in 150 countries using cryptocurrency. These gift cards can be used for a wide range of goods and services. The platform supports over 600 mobile operators and thousands of brands worldwide. ### Attack Timeline and Impact On March 1st, **Bitrefill** experienced technical issues affecting access to its website and app. The company later disclosed that it had suffered a cyberattack and took all services offline. While user balances remained unaffected, the restoration of services is still ongoing. The breach was detected after **Bitrefill** noticed suspicious supplier purchasing patterns, exploitation of gift card stock and supply lines, and the draining of some "hot" wallets. ### Attack Vector The investigation revealed that the attack originated from a compromised employee's laptop. The attackers stole legacy credentials and used them to access a snapshot containing production secrets, enabling them to escalate access to the broader **Bitrefill** infrastructure, including parts of the database and some cryptocurrency wallets. ### Data Exposure Approximately 18,500 purchase records containing customer email addresses, IP addresses, and cryptocurrency payment addresses were exposed. Additionally, customer names were exposed for 1,000 purchases. While this information is stored in encrypted form, **Bitrefill** acknowledges that the attackers may have obtained the decryption keys. ### Minimal Financial Losses **Bitrefill** considers this the most serious cyberattack in its ten-year history but reports minimal financial losses, which will be covered from its capital. The company believes the attackers were primarily targeting cryptocurrency and gift card inventory, rather than customer information. ### BlueNoroff's Profile **BlueNoroff**, also known as APT38, is a subgroup of the **Lazarus Group** and has been active since at least 2014. The group typically targets financial organizations, with a recent focus on the cryptocurrency industry, with the goal of stealing cryptocurrency. ### Remediation Efforts **Bitrefill** is enhancing its security posture by expanding security reviews and penetration testing, tightening access controls, improving logging and monitoring, and refining automated shutdown mechanisms. Most services have returned to normal operational status, and customers are advised to exercise caution when handling incoming communications. <div> <h2>Red Report 2026: Why Ransomware Encryption Dropped 38%</h2> Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight. Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded. </div>