2026-03-20
Cyble
North Korea’s Crypto Theft Operations: The Role of Lazarus Group in State-Sponsored Financial Warfare
#Bitrefill
#Lazarus
Bitrefill
#Bitrefill
- Reported: 2026-03
- Locations: Sweden
- Motivations: #FinancialGain #DataBreach
- Sectors: #Cryptocurrency
Summary
Bitrefill experienced a cyberattack beginning around early March 2026, which was traced back to a compromised employee device that exposed internal credentials. Using this access, attackers infiltrated the company’s systems and were able to drain funds from its hot wallets while also abusing its gift card infrastructure. The breach led to unauthorized transactions and unusual purchasing activity, which eventually triggered detection and forced the company to shut down parts of its system to contain the incident.
In addition to financial losses, the attackers accessed tens of thousands of purchase records, including customer emails, crypto wallet addresses, and some encrypted data. Bitrefill has not disclosed the exact amount stolen but confirmed both monetary damage and operational disruption. The company noted that the attack showed patterns similar to those used by the Lazarus Group, although it stopped short of making a definitive attribution.