Verify a decision

{"actor":"system:backfill","investigation_id":"8038ecc2-39f1-4530-bfdf-f87bf4b49de2","kind":"publish","page_slug":"bitrefill","published_at":"2026-06-04T03:35:58.419Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Bitrefill","sections":[{"content":"Bitrefill was founded in 2014 and is headquartered in Stockholm, Sweden. The company was formerly incorporated as Pupot AB. Its core product is a crypto e-commerce storefront enabling users to spend Bitcoin, Ethereum, Litecoin, Dogecoin, Solana, USDC, USDT, and other cryptocurrencies on digital gift cards spanning major global brands including Amazon, Walmart, Starbucks, Apple, Netflix, Spotify, and Uber, as well as prepaid mobile top-ups and eSIMs. The platform supports Lightning Network payments for sub-second transaction finality and operates in over 100 countries. Bitrefill explicitly does not require mandatory Know Your Customer (KYC) verification for most purchases, storing only limited customer information and keeping verification data with external providers. The company self-describes as well-funded and profitable.","heading":"Company Overview","severity":"low","sources":[{"credibility":1,"name":"Bitrefill official website","type":"official","url":"https://www.bitrefill.com/us/en/"},{"credibility":2,"name":"Bitrefill company profile — Crunchbase","type":"other","url":"https://www.crunchbase.com/organization/bitrefill"},{"credibility":2,"name":"Stockholm-based cryptocurrency startup Bitrefill raises $2 million — Tech.eu","type":"news_article","url":"https://tech.eu/2019/06/13/stockholm-based-cryptocurrency-startup-bitrefill-raises-2-million/"}]},{"content":"On March 1, 2026, Bitrefill was the target of a cyberattack subsequently attributed to the North Korean state-sponsored Lazarus Group (specifically the Bluenoroff financial-crime subunit). The initial access vector was a compromised employee laptop from which attackers exfiltrated a legacy credential. That credential provided access to a snapshot containing production secrets, which the attackers used to escalate privileges across Bitrefill's infrastructure, including parts of its database and certain cryptocurrency hot wallets. Bitrefill first detected the intrusion by noticing suspicious purchasing patterns with certain gift card suppliers, indicating that supply lines were being exploited. Simultaneously, hot wallets were found to be drained, with funds transferred to attacker-controlled addresses. Upon identifying the breach, Bitrefill took all systems offline as a containment measure. The company's official incident report was published on X (formerly Twitter) on March 17–18, 2026. Most systems, including payments, stock management, and user accounts, were restored to normal operation by approximately March 5, 2026, with sales volumes returning to normal levels thereafter.","heading":"March 2026 Cyberattack — Attack Vector and Timeline","severity":"critical","sources":[{"credibility":1,"name":"Bitrefill blames North Korea-linked Lazarus hacker group for compromising 18,500 purchase records — CoinDesk","type":"news_article","url":"https://www.coindesk.com/markets/2026/03/18/bitrefill-accuses-north-korea-linked-lazarus-hacker-group-for-compromising-18-500-purchase-records"},{"credibility":1,"name":"Bitrefill blames North Korean Lazarus group for cyberattack — BleepingComputer","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/bitrefill-blames-north-korean-lazarus-group-for-cyberattack/"},{"credibility":1,"name":"Crypto e-commerce platform Bitrefill accuses North Korea of stealing 18,500 purchase records — The Record (Recorded Future)","type":"news_article","url":"https://therecord.media/crypto-platform-accuses-north-korea-hack"},{"credibility":1,"name":"Crypto Gift Card Platform Bitrefill Discloses Hack, Points Finger at North Korean Groups — Decrypt","type":"news_article","url":"https://decrypt.co/361462/crypto-gift-card-platform-bitrefill-hack-north-korean-groups"}]},{"content":"Attackers accessed approximately 18,500 purchase records during the breach. Each record contained limited customer data: email addresses, cryptocurrency payment addresses, and metadata including IP addresses. For approximately 1,000 of those purchase records, transactions required customers to supply a name; that information was stored in encrypted form in the database. Because the attackers may have obtained access to encryption keys, Bitrefill stated it was treating those approximately 1,000 name-associated records as potentially compromised and notified affected customers directly by email. Bitrefill emphasized that it does not require full KYC and stores very little personal data, with sensitive identity verification maintained by external providers rather than on company systems. No evidence of a full database exfiltration was reported; attackers conducted a limited number of targeted queries focused on cryptocurrency inventory and gift card stock. The specific monetary value of cryptocurrency drained from hot wallets was not disclosed by Bitrefill in its public incident report.","heading":"Data Exposure and Customer Impact","severity":"high","sources":[{"credibility":1,"name":"Bitrefill blames North Korean Lazarus group for cyberattack — BleepingComputer","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/bitrefill-blames-north-korean-lazarus-group-for-cyberattack/"},{"credibility":1,"name":"Crypto e-commerce platform Bitrefill accuses North Korea of stealing 18,500 purchase records — The Record","type":"news_article","url":"https://therecord.media/crypto-platform-accuses-north-korea-hack"},{"credibility":1,"name":"Bitrefill blames North Korea-linked Lazarus hacker group — CoinDesk","type":"news_article","url":"https://www.coindesk.com/markets/2026/03/18/bitrefill-accuses-north-korea-linked-lazarus-hacker-group-for-compromising-18-500-purchase-records"},{"credibility":2,"name":"Crypto Platform Bitrefill Hacked: 18,500 User Records Exposed — CoinPedia","type":"news_article","url":"https://coinpedia.org/news/bitrefill-hack-lazarus-group-suspected-in-major-crypto-cyberattack-18500-users-affected/"}]},{"content":"Bitrefill attributed the March 1, 2026 attack to the DPRK Lazarus Group, and specifically to its Bluenoroff financial-crime subunit, based on several categories of evidence gathered during its internal investigation. The company identified similarities in modus operandi and the specific malware used, on-chain tracing of funds to addresses associated with prior Lazarus Group operations, and reused IP addresses and email addresses consistent with prior DPRK Bluenoroff campaigns against other cryptocurrency companies. Bitrefill stated it engaged cybersecurity experts, blockchain analysts, and law enforcement in its investigation. Independent security researchers at Cyble also analyzed the incident in the context of Lazarus Group's broader campaign against cryptocurrency platforms. The Lazarus Group and its Bluenoroff subunit have been attributed by U.S. government agencies to numerous major cryptocurrency thefts, including the 2022 Ronin Network hack ($625 million), the 2022 Harmony Horizon Bridge hack ($100 million), the 2023 Atomic Wallet breach, and the 2025 Bybit hack ($1.5 billion, the largest single crypto theft on record). North Korean state-sponsored hackers are estimated to have stolen over $6.8 billion in cryptocurrency since 2022. It should be noted that Bitrefill's attribution is based on its own investigation and external analysis; no independent confirmation from U.S. or allied government agencies has been publicly reported as of the investigation date.","heading":"Attribution to Lazarus Group / DPRK Bluenoroff","severity":"critical","sources":[{"credibility":1,"name":"Bitrefill blames North Korea-linked Lazarus hacker group — CoinDesk","type":"news_article","url":"https://www.coindesk.com/markets/2026/03/18/bitrefill-accuses-north-korea-linked-lazarus-hacker-group-for-compromising-18-500-purchase-records"},{"credibility":1,"name":"Bitrefill blames North Korean Lazarus group — BleepingComputer","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/bitrefill-blames-north-korean-lazarus-group-for-cyberattack/"},{"credibility":2,"name":"Lazarus Group Bitrefill Cyberattack Crypto Threat — Cyble","type":"research","url":"https://cyble.com/blog/lazarus-group-bitrefill-cyberattack/"},{"credibility":3,"name":"North Korea's $6 Billion Crypto Crime Spree — Crypto Impact Hub","type":"news_article","url":"https://cryptoimpacthub.com/north-korea-6-billion-crypto-theft-dprk-lazarus-2026/"}]},{"content":"Following detection of the breach, Bitrefill immediately took all systems offline as a containment measure, then restored services in phases. The company stated it would cover all financial losses — including drained hot wallet funds and stolen gift card inventory — from its operational capital, without passing any losses to customers. In its post-mortem, Bitrefill described the incident as its first major security breach in over a decade of operation. Remediation measures implemented or announced include: expanded external penetration testing and security reviews; tighter access controls and privilege management; improved logging and monitoring systems; refined automated shutdown mechanisms; and updated incident response procedures. Bitrefill notified all customers whose records were accessed directly by email, including those with encrypted name data that was treated as potentially compromised. The company stated it was cooperating with law enforcement. As of the post-mortem publication on March 18, 2026, sales volumes had returned to normal.","heading":"Company Response and Remediation","severity":"medium","sources":[{"credibility":1,"name":"Bitrefill blames North Korean Lazarus group — BleepingComputer","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/bitrefill-blames-north-korean-lazarus-group-for-cyberattack/"},{"credibility":1,"name":"Crypto e-commerce platform Bitrefill accuses North Korea — The Record","type":"news_article","url":"https://therecord.media/crypto-platform-accuses-north-korea-hack"},{"credibility":2,"name":"Bitrefill blames North Korean hackers for March 1 exploit — Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/bitrefill-north-korean-hackers-exploit/"}]},{"content":"The attack exploited a legacy credential retrieved from a compromised employee laptop — a class of vulnerability associated with inadequate credential rotation and lifecycle management. The presence of credentials with access to production secrets on an employee endpoint represents a systemic security control failure, regardless of the sophistication of the external attacker. Bitrefill acknowledged this failure and described remediation steps including tighter access controls. The broader Lazarus Group / Bluenoroff attack pattern documented by security researchers involves initial access via compromised employee devices, often through social engineering (including fake job offers, fraudulent calendar invites, and ClickFix-style clipboard injection attacks), followed by lateral movement using harvested credentials. Whether the Bitrefill employee laptop was compromised via social engineering or another method was not publicly disclosed.","heading":"Legacy Credential and Insider Threat Risk","severity":"high","sources":[{"credibility":1,"name":"Bitrefill blames North Korean Lazarus group — BleepingComputer","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/bitrefill-blames-north-korean-lazarus-group-for-cyberattack/"},{"credibility":1,"name":"North Korea-linked actor targets Web3 execs in social-engineering campaign — Cybersecurity Dive","type":"news_article","url":"https://www.cybersecuritydive.com/news/north-korea-web3-execs-social-engineering-hacker/818639/"},{"credibility":2,"name":"BlueNoroff Group: The Financial Cybercrime Arm of Lazarus — Picus Security","type":"research","url":"https://www.picussecurity.com/resource/blog/bluenoroff-group-the-financial-cybercrime-arm-of-lazarus"}]},{"content":"Bitrefill has operated since 2014 and raised a total of approximately $2.35 million in disclosed funding, with investors including Draper Associates, BnkToTheFuture, Charlie Lee (creator of Litecoin), Coin Ninja, and Fulgur Ventures. The company characterized the March 2026 incident as its first major security breach in more than a decade of operation. No prior regulatory actions, enforcement proceedings, or significant prior security incidents involving Bitrefill have been identified through public records as of the investigation date. The company's no-mandatory-KYC model has been noted by some analysts as a dual-edged characteristic — it reduces customer data exposure in a breach scenario (as demonstrated here) but also reduces auditability of users.","heading":"Operational History and Prior Security Record","severity":"low","sources":[{"credibility":2,"name":"Stockholm-based cryptocurrency startup Bitrefill raises $2 million — Tech.eu","type":"news_article","url":"https://tech.eu/2019/06/13/stockholm-based-cryptocurrency-startup-bitrefill-raises-2-million/"},{"credibility":2,"name":"Bitrefill — Crunchbase","type":"other","url":"https://www.crunchbase.com/organization/bitrefill"},{"credibility":1,"name":"Bitrefill blames North Korean Lazarus group — BleepingComputer","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/bitrefill-blames-north-korean-lazarus-group-for-cyberattack/"}]}],"sources_used":[{"credibility":1,"name":"Bitrefill blames North Korea-linked Lazarus hacker group for compromising 18,500 purchase records — CoinDesk","type":"news_article","url":"https://www.coindesk.com/markets/2026/03/18/bitrefill-accuses-north-korea-linked-lazarus-hacker-group-for-compromising-18-500-purchase-records"},{"credibility":1,"name":"Bitrefill blames North Korean Lazarus group for cyberattack — BleepingComputer","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/bitrefill-blames-north-korean-lazarus-group-for-cyberattack/"},{"credibility":1,"name":"Crypto e-commerce platform Bitrefill accuses North Korea of stealing 18,500 purchase records — The Record (Recorded Future News)","type":"news_article","url":"https://therecord.media/crypto-platform-accuses-north-korea-hack"},{"credibility":1,"name":"Crypto Gift Card Platform Bitrefill Discloses Hack, Points Finger at North Korean Groups — Decrypt","type":"news_article","url":"https://decrypt.co/361462/crypto-gift-card-platform-bitrefill-hack-north-korean-groups"},{"credibility":2,"name":"Crypto Platform Bitrefill Hacked: 18,500 User Records Exposed in Cyberattack — CoinPedia","type":"news_article","url":"https://coinpedia.org/news/bitrefill-hack-lazarus-group-suspected-in-major-crypto-cyberattack-18500-users-affected/"},{"credibility":2,"name":"Lazarus Group Bitrefill Cyberattack Crypto Threat — Cyble","type":"research","url":"https://cyble.com/blog/lazarus-group-bitrefill-cyberattack/"},{"credibility":2,"name":"Bitrefill hack linked to Lazarus: what it reveals about crypto risks — Invezz","type":"news_article","url":"https://invezz.com/news/2026/03/18/bitrefill-hack-linked-to-lazarus-what-it-reveals-about-crypto-risks/"},{"credibility":2,"name":"Bitrefill blames North Korean hackers for March 1 exploit, commits to cover losses — Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/bitrefill-north-korean-hackers-exploit/"},{"credibility":1,"name":"Bitrefill official website","type":"official","url":"https://www.bitrefill.com/us/en/"},{"credibility":2,"name":"Bitrefill — Crunchbase company profile","type":"other","url":"https://www.crunchbase.com/organization/bitrefill"},{"credibility":2,"name":"Stockholm-based cryptocurrency startup Bitrefill raises $2 million — Tech.eu","type":"news_article","url":"https://tech.eu/2019/06/13/stockholm-based-cryptocurrency-startup-bitrefill-raises-2-million/"},{"credibility":1,"name":"North Korea-linked actor targets Web3 execs in social-engineering campaign — Cybersecurity Dive","type":"news_article","url":"https://www.cybersecuritydive.com/news/north-korea-web3-execs-social-engineering-hacker/818639/"},{"credibility":2,"name":"BlueNoroff Group: The Financial Cybercrime Arm of Lazarus — Picus Security","type":"research","url":"https://www.picussecurity.com/resource/blog/bluenoroff-group-the-financial-cybercrime-arm-of-lazarus"},{"credibility":2,"name":"Sergej Kotliar — Founder, CEO at Bitrefill — Crunchbase","type":"other","url":"https://www.crunchbase.com/person/sergej-kotliar"}],"summary":"Bitrefill is a Stockholm-based cryptocurrency e-commerce platform founded in 2014 that allows users to purchase digital gift cards, eSIMs, and mobile top-ups using Bitcoin and other cryptocurrencies across more than 100 countries. On March 1, 2026, Bitrefill suffered a significant cyberattack attributed to the North Korea-linked Lazarus Group (Bluenoroff subunit), in which attackers compromised an employee laptop, escalated access via legacy credentials, drained hot wallets, and exposed approximately 18,500 customer purchase records. Bitrefill stated it would cover all financial losses from operational capital and characterized this as the platform's first major security incident in over a decade of operation.","timeline":[{"date":"2014-01-01","event":"Bitrefill founded in Stockholm, Sweden (formerly incorporated as Pupot AB) by Sergej Kotliar and co-founders","source":"Crunchbase / Tech.eu","source_url":"https://www.crunchbase.com/organization/bitrefill"},{"date":"2019-06-13","event":"Bitrefill raises $2 million seed round led by Coin Ninja, with participation from Charlie Lee, Fulgur Ventures, and BnkToTheFuture; total disclosed funding reaches approximately $2.35 million","source":"Tech.eu","source_url":"https://tech.eu/2019/06/13/stockholm-based-cryptocurrency-startup-bitrefill-raises-2-million/"},{"date":"2026-03-01","event":"Cyberattack begins: attackers compromise an employee laptop, exfiltrate legacy credentials, escalate to production secrets, drain hot wallets, and access approximately 18,500 purchase records; Bitrefill detects intrusion via anomalous supplier purchasing patterns and takes all systems offline","source":"CoinDesk / BleepingComputer / The Record","source_url":"https://www.bleepingcomputer.com/news/security/bitrefill-blames-north-korean-lazarus-group-for-cyberattack/"},{"date":"2026-03-02","event":"Bitrefill publicly discloses a security breach and begins taking services offline; announces investigation is underway","source":"BleepingComputer","source_url":"https://www.bleepingcomputer.com/news/security/bitrefill-blames-north-korean-lazarus-group-for-cyberattack/"},{"date":"2026-03-05","event":"Most Bitrefill systems — including payments, stock management, and user accounts — reported restored to normal operation","source":"The Record","source_url":"https://therecord.media/crypto-platform-accuses-north-korea-hack"},{"date":"2026-03-17","event":"Bitrefill publishes formal incident report on X (formerly Twitter), attributing the attack to DPRK Lazarus Group / Bluenoroff based on malware signatures, on-chain tracing, and reused attacker infrastructure","source":"CoinDesk / Decrypt / BleepingComputer","source_url":"https://www.coindesk.com/markets/2026/03/18/bitrefill-accuses-north-korea-linked-lazarus-hacker-group-for-compromising-18-500-purchase-records"},{"date":"2026-03-18","event":"Major media coverage of Bitrefill's Lazarus Group attribution published, including CoinDesk, BleepingComputer, The Record, and Decrypt; Bitrefill states losses will be covered from operational capital and sales volumes have normalized","source":"CoinDesk","source_url":"https://www.coindesk.com/markets/2026/03/18/bitrefill-accuses-north-korea-linked-lazarus-hacker-group-for-compromising-18-500-purchase-records"}]},"v":1}