Lazarus Group's Latest Gig: Swiping 18,5K Gift Receipts & a Masterclass in Ancient Passwords

Crypto payments shop Bitrefill has pinned a March 1, 2026 digital smash-and-grab squarely on the North Korea-linked Lazarus Group. The heist saw the raiders rummage through parts of the company's backend and make off with the contents of some cryptocurrency hot wallets.

The crew managed to snag production keys, funnel funds out the door, and left about 18,500 purchase receipts flapping in the digital breeze. These slips contained email addresses, crypto payment destinations, and IP breadcrumbs. Roughly 1,000 even had encrypted usernames, because why not? Affected patrons have gotten the "we've been got" email.

The company declared it'll eat the losses from its own pocket, a refreshing change from the usual "our lawyers are drafting a blog post" strategy, and noted most systems are humming again. The whole affair is just another Tuesday for Lazarus Group, whose crypto portfolio includes previous hits on Ronin Network and Atomic Wallet—truly a connoisseur of digital asset extraction.

The point of entry was a depressingly classic tale: a compromised employee laptop that coug up some legacy credentials older than a 2017 ICO. This digital skeleton key let the attackers waltz into Bitrefill's wider infrastructure, including the database and the wallets. The tip-off? Suppliers noticed some "unusual purchasing patterns," which is code for the attackers trying to exploit gift card supply chains like a degen farming a new side-chain.

Bitrefill observed the attackers casually draining hot wallets and sending the funds to their own addresses, a move so brazen it finally prompted the company to pull the plug. "Safely switching all these things off and bringing them back online is not trivial," the company noted, a masterful understatement about untangling a global e-commerce operation from a state-sponsored hacker's clutches.

The firm's probe, aided by white-hats and on-chain sleuths, concluded that customer data wasn't the main prize. The attackers ran some limited, targeted queries focused on crypto holdings and inventory, rather than trying to exfiltrate the entire database—a small mercy, given Bitrefill's policy of storing minimal personal data and not forcing KYC on everyone.

In the wake of the chaos, Bitrefill has decided to bolt the door. New measures include full-scale penetration tests, tightened internal access controls (so not every intern has the keys to the kingdom), and souped-up logging to spot threats faster. They're also fine-tuning their incident response playbook and automated shutdown protocols, because sometimes you need a digital dead man's switch.

Bitrefill conceded this was its first major breach in over ten years of business, a run longer than most meme coins. The company emphasized it's still flush with cash and in the black, fully able to stomach the operational hit. Sales volumes, they report, are already crawling back to their pre-heist normalcy.

"Getting hit by a sophisticated attack sucks (a lot)," the company admitted with admirable bluntness. "But we survived. We will continue to do our best to continue deserving our customers' trust." A sentiment as solid as a cold wallet, if slightly more scarred.