Lazarus Swiped the Gift Cards and Our Last Nerve (But the Wallets Are Fine)

Bitrefill got popped. Again. This time, the digital burglars signed their work: North Korea’s Lazarus Group. The party started March 1, 2026, when an employee’s laptop—because of course it was a laptop—served up a legacy credential like an appetizer. From that foothold, they strolled into production, took a leisurely scroll through the database, and siphoned a few hot wallets dry. Just another Tuesday.

The telltale sign? Suspiciously enthusiastic gift card purchases. Bitrefill spotted cards flying off the digital shelves as if they were the last NFTs with utility. It turns out the hackers weren't just here for the crypto; they were also running a side hustle on the inventory system.

A cool 18,500 purchase records got a peek. Emails, crypto addresses, IP logs—the whole digital footprint buffet was laid out. About 1,000 of those records came with encrypted customer names. Bitrefill admits the keys to that chest might have walked off. So they alerted those users. No mass panic. No KYC paperwork lying around. All the really spicy data lives with a third-party custodian, because not your keys, not your… personal info. No backup plan needed. No fingers pointed.

The malware signatures, the on-chain breadcrumbs, the reused IPs and emails? Textbook Lazarus. Chainalysis notes that DPRK’s finest bagged $2.02B in crypto last year—nearly 60% of all stolen digital loot. Bitrefill didn't need a blockchain analyst; they just needed to check the calling card left on the digital fridge.

They pulled the plug on everything. Patched the holes they could find. Covered the losses from the company wallet—no VC bailout, no drama. Just a decade-old biz doing the crypto equivalent of dusting itself off and muttering, "Still here."

Payments? Operational. Inventory? Topped up. Sales? Bounced back to pre-heist levels. They’ve onboarded security mercenaries, locked down access like a seed phrase in a steel plate, improved logging, and automated kill switches—because apparently, one rogue laptop is all it takes to throw a wrench in the gears.

The customer data wasn't the prize. The gift cards? That was the main score. The crypto? Just found money on the dresser.

And if you're asking why any of this is notable? It's because even when the attackers have a nation-state budget and follow the hacker's playbook to the letter, the ultimate flex in crypto remains a simple one: staying online.