{"id":7589,"date":"2026-03-18T11:40:41","date_gmt":"2026-03-18T11:40:41","guid":{"rendered":"https:\/\/cryptonews.uk.com\/?p=7589"},"modified":"2026-03-18T11:40:41","modified_gmt":"2026-03-18T11:40:41","slug":"bitrefill-hack-exposes-wallets-and-gift-card-systems-as-north-korean-links-emerge","status":"publish","type":"post","link":"https:\/\/cryptonews.uk.com\/?p=7589","title":{"rendered":"Bitrefill Hack Exposes Wallets and Gift Card Systems as North Korean Links Emerge"},"content":{"rendered":"<p><\/p>\n<div>\n<div id=\"blockquote-block_406128d36f741afeff8dc23eb62dd53b\" class=\"blockquote-container\" style=\"border-color: #5100fc\">\n<div class=\"blockquote-text\">\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Attackers compromised an employee laptop on March 1, extracted legacy credentials containing production secrets, and escalated access to Bitrefill\u2019s hot wallets, database, and gift card purchasing systems.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Approximately 18,500 purchase records were accessed, including email addresses and crypto payment addresses.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Bitrefill\u2019s investigation found forensic indicators, including malware signatures, on-chain fund tracing, and reused IP addresses, consistent with DPRK state-sponsored groups Lazarus and Bluenoroff.<\/span><\/li>\n<\/ul>\n<\/div>\n<\/div>\n<p>Bitrefill said on March 17 that a cyberattack earlier this month compromised its hot wallets, parts of its database, and gift card purchasing systems after attackers gained access through a single employee laptop and used legacy credentials containing production secrets.<\/p>\n<p>The breach began on March 1, when the attackers compromised the laptop and recovered a credential that gave them access to a snapshot with sensitive production data.\u00a0<\/p>\n<p>Bitrefill said the intruders then moved deeper into its infrastructure, drained cryptocurrency from hot wallets, and exploited gift card supply channels by making fraudulent vendor purchases.\u00a0<\/p>\n<p>The company first described the disruption as a technical issue before later confirming it was a security incident.<\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter\">\n<div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">March 1st incident report<\/p>\n<p>On March 1, 2026, Bitrefill was the target of a cyberattack. Based on indicators observed during the investigation  \u2013 including the modus operandi, the malware used, on-chain tracing and reused IP + email addresses (!) \u2013 we find many similarities\u2026<\/p>\n<p>\u2014 Bitrefill (@bitrefill) <a href=\"https:\/\/twitter.com\/bitrefill\/status\/2033931580352221656?ref_src=twsrc%5Etfw\">March 17, 2026<\/a><\/p><\/blockquote>\n<\/div>\n<\/figure>\n<p><strong>Related: BlackRock Signals Cautious Expansion of Crypto ETFs Despite New Staked Ether Fund<\/strong><\/p>\n<p>Bitrefill said it detected the attack after spotting unusual purchase patterns from some suppliers and realising its gift card stock and supply lines were being abused.\u00a0<\/p>\n<p>It shut down its systems and took services offline for about four days while working with external security researchers, incident response firms, blockchain analysts, and law enforcement.<\/p>\n<p>The company said about 18,500 purchase records were accessed. Those records included email addresses, crypto payment addresses, and metadata such as IP addresses. Around 1,000 records also contained customer names in encrypted form.\u00a0<\/p>\n<p>Bitrefill said it is treating those names as potentially exposed because the attackers may have obtained the encryption keys. It added that it does not store mandatory KYC data and that any verification information is held by external providers.<\/p>\n<p><strong>Related: SEC and CFTC Sign Pact to Coordinate Crypto Oversight<\/strong><\/p>\n<h2 class=\"wp-block-heading\" id=\"h-bitrefill-blames-north-korea-nbsp\">Bitrefill Blames North Korea\u00a0<\/h2>\n<p>Bitrefill said its investigation found indicators consistent with North Korean-linked groups Lazarus and Bluenoroff, citing similarities in tactics, malware, on-chain traces, and reused IP and email addresses.\u00a0<\/p>\n<p>The company did not present that attribution as confirmed, and no government agency or independent forensic firm has publicly verified it.<\/p>\n<p>Also, the company did not disclose how much cryptocurrency was stolen, but said it remains profitable, well funded, and able to absorb the losses from operating capital. Most services, including payments, gift card inventory, and customer accounts, have since been restored.<\/p>\n<\/p><\/div>\n<p><script async src=\"\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script>Hackers,North Korea#Bitrefill #Hack #Exposes #Wallets #Gift #Card #Systems #North #Korean #Links #Emerge1773834041<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Attackers compromised an employee laptop on March 1, extracted legacy credentials containing production secrets, and escalated access to Bitrefill\u2019s hot wallets, database, and gift card purchasing systems. Approximately 18,500 purchase records were accessed, including email addresses and crypto payment addresses. Bitrefill\u2019s investigation found forensic indicators, including malware signatures, on-chain fund tracing, and reused IP addresses,<\/p>\n","protected":false},"author":1,"featured_media":7590,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[3398,3399,2303,619,3232,652,1137,3075,3401,3400,35],"class_list":{"0":"post-7589","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-bitcoin","8":"tag-bitrefill","9":"tag-card","10":"tag-emerge","11":"tag-exposes","12":"tag-gift","13":"tag-hack","14":"tag-korean","15":"tag-links","16":"tag-north","17":"tag-systems","18":"tag-wallets"},"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v26.6 (Yoast SEO v26.6) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Bitrefill Hack Exposes Wallets and Gift Card Systems as North Korean Links Emerge - Crypto News: Latest Cryptocurrency News and Analysis<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/cryptonews.uk.com\/?p=7589\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Bitrefill Hack Exposes Wallets and Gift Card Systems as North Korean Links Emerge\" \/>\n<meta property=\"og:description\" content=\"Attackers compromised an employee laptop on March 1, extracted legacy credentials containing production secrets, and escalated access to Bitrefill\u2019s hot wallets, database, and gift card purchasing systems. Approximately 18,500 purchase records were accessed, including email addresses and crypto payment addresses. Bitrefill\u2019s investigation found forensic indicators, including malware signatures, on-chain fund tracing, and reused IP addresses,\" \/>\n<meta property=\"og:url\" content=\"https:\/\/cryptonews.uk.com\/?p=7589\" \/>\n<meta property=\"og:site_name\" content=\"Crypto News: Latest Cryptocurrency News and Analysis\" \/>\n<meta property=\"article:published_time\" content=\"2026-03-18T11:40:41+00:00\" \/>\n<meta name=\"author\" content=\"\u884c\u653f\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"\u884c\u653f\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/cryptonews.uk.com\/?p=7589\",\"url\":\"https:\/\/cryptonews.uk.com\/?p=7589\",\"name\":\"Bitrefill Hack Exposes Wallets and Gift Card Systems as North Korean Links Emerge - Crypto News: Latest Cryptocurrency News and Analysis\",\"isPartOf\":{\"@id\":\"https:\/\/cryptonews.uk.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/cryptonews.uk.com\/?p=7589#primaryimage\"},\"image\":{\"@id\":\"https:\/\/cryptonews.uk.com\/?p=7589#primaryimage\"},\"thumbnailUrl\":\"https:\/\/cryptonews.uk.com\/wp-content\/uploads\/2026\/03\/cyber-security-hack.jpeg\",\"datePublished\":\"2026-03-18T11:40:41+00:00\",\"author\":{\"@id\":\"https:\/\/cryptonews.uk.com\/#\/schema\/person\/822778c5844e0d16d43dce6630f4f1bf\"},\"breadcrumb\":{\"@id\":\"https:\/\/cryptonews.uk.com\/?p=7589#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/cryptonews.uk.com\/?p=7589\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/cryptonews.uk.com\/?p=7589#primaryimage\",\"url\":\"https:\/\/cryptonews.uk.com\/wp-content\/uploads\/2026\/03\/cyber-security-hack.jpeg\",\"contentUrl\":\"https:\/\/cryptonews.uk.com\/wp-content\/uploads\/2026\/03\/cyber-security-hack.jpeg\",\"width\":1920,\"height\":1047},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/cryptonews.uk.com\/?p=7589#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/cryptonews.uk.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Bitrefill Hack Exposes Wallets and Gift Card Systems as North Korean Links Emerge\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/cryptonews.uk.com\/#website\",\"url\":\"https:\/\/cryptonews.uk.com\/\",\"name\":\"Crypto News: Latest Cryptocurrency News and Analysis\",\"description\":\"Latest Crypto &amp; Bitcoin News\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/cryptonews.uk.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/cryptonews.uk.com\/#\/schema\/person\/822778c5844e0d16d43dce6630f4f1bf\",\"name\":\"\u884c\u653f\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/cryptonews.uk.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/e4c2d23409b09e004cef3facbe677e95c5401f9e29680f3a311e0130c5748089?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/e4c2d23409b09e004cef3facbe677e95c5401f9e29680f3a311e0130c5748089?s=96&d=mm&r=g\",\"caption\":\"\u884c\u653f\"},\"sameAs\":[\"http:\/\/demo3.aiwalls.com\/coinbase\"],\"url\":\"https:\/\/cryptonews.uk.com\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Bitrefill Hack Exposes Wallets and Gift Card Systems as North Korean Links Emerge - Crypto News: Latest Cryptocurrency News and Analysis","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/cryptonews.uk.com\/?p=7589","og_locale":"en_US","og_type":"article","og_title":"Bitrefill Hack Exposes Wallets and Gift Card Systems as North Korean Links Emerge","og_description":"Attackers compromised an employee laptop on March 1, extracted legacy credentials containing production secrets, and escalated access to Bitrefill\u2019s hot wallets, database, and gift card purchasing systems. Approximately 18,500 purchase records were accessed, including email addresses and crypto payment addresses. Bitrefill\u2019s investigation found forensic indicators, including malware signatures, on-chain fund tracing, and reused IP addresses,","og_url":"https:\/\/cryptonews.uk.com\/?p=7589","og_site_name":"Crypto News: Latest Cryptocurrency News and Analysis","article_published_time":"2026-03-18T11:40:41+00:00","author":"\u884c\u653f","twitter_card":"summary_large_image","twitter_misc":{"Written by":"\u884c\u653f","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/cryptonews.uk.com\/?p=7589","url":"https:\/\/cryptonews.uk.com\/?p=7589","name":"Bitrefill Hack Exposes Wallets and Gift Card Systems as North Korean Links Emerge - Crypto News: Latest Cryptocurrency News and Analysis","isPartOf":{"@id":"https:\/\/cryptonews.uk.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/cryptonews.uk.com\/?p=7589#primaryimage"},"image":{"@id":"https:\/\/cryptonews.uk.com\/?p=7589#primaryimage"},"thumbnailUrl":"https:\/\/cryptonews.uk.com\/wp-content\/uploads\/2026\/03\/cyber-security-hack.jpeg","datePublished":"2026-03-18T11:40:41+00:00","author":{"@id":"https:\/\/cryptonews.uk.com\/#\/schema\/person\/822778c5844e0d16d43dce6630f4f1bf"},"breadcrumb":{"@id":"https:\/\/cryptonews.uk.com\/?p=7589#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/cryptonews.uk.com\/?p=7589"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/cryptonews.uk.com\/?p=7589#primaryimage","url":"https:\/\/cryptonews.uk.com\/wp-content\/uploads\/2026\/03\/cyber-security-hack.jpeg","contentUrl":"https:\/\/cryptonews.uk.com\/wp-content\/uploads\/2026\/03\/cyber-security-hack.jpeg","width":1920,"height":1047},{"@type":"BreadcrumbList","@id":"https:\/\/cryptonews.uk.com\/?p=7589#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/cryptonews.uk.com\/"},{"@type":"ListItem","position":2,"name":"Bitrefill Hack Exposes Wallets and Gift Card Systems as North Korean Links Emerge"}]},{"@type":"WebSite","@id":"https:\/\/cryptonews.uk.com\/#website","url":"https:\/\/cryptonews.uk.com\/","name":"Crypto News: Latest Cryptocurrency News and Analysis","description":"Latest Crypto &amp; Bitcoin News","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/cryptonews.uk.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/cryptonews.uk.com\/#\/schema\/person\/822778c5844e0d16d43dce6630f4f1bf","name":"\u884c\u653f","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/cryptonews.uk.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/e4c2d23409b09e004cef3facbe677e95c5401f9e29680f3a311e0130c5748089?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/e4c2d23409b09e004cef3facbe677e95c5401f9e29680f3a311e0130c5748089?s=96&d=mm&r=g","caption":"\u884c\u653f"},"sameAs":["http:\/\/demo3.aiwalls.com\/coinbase"],"url":"https:\/\/cryptonews.uk.com\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/cryptonews.uk.com\/index.php?rest_route=\/wp\/v2\/posts\/7589","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cryptonews.uk.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cryptonews.uk.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cryptonews.uk.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cryptonews.uk.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7589"}],"version-history":[{"count":0,"href":"https:\/\/cryptonews.uk.com\/index.php?rest_route=\/wp\/v2\/posts\/7589\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cryptonews.uk.com\/index.php?rest_route=\/wp\/v2\/media\/7590"}],"wp:attachment":[{"href":"https:\/\/cryptonews.uk.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7589"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cryptonews.uk.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7589"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cryptonews.uk.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7589"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}