North Korean hackers targeted cryptocurrency e-commerce platform Bitrefill during an attack on March 1, according to a post-mortem from the company published Tuesday. 

In a lengthy statement, Bitrefill said hackers allegedly tied to North Korea’s Lazarus group accessed around 18,500 purchase records that contained email addresses, crypto payment addresses and metadata including IP addresses.

Bitrefill is designed to allow people to live off of cryptocurrency, enabling users to buy digital gift cards or pay bills online with it. The company has partnerships with Amazon, Doordash, Apple, Uber, Walmart and more.

The company first announced issues on March 1 and eventually was forced to take systems offline when it was discovered to be a security breach. 

The company restored its website and app on March 5, intimating at the time that North Korea was responsible for the attack. Law enforcement and cybersecurity experts assisted in the investigation. 

In its post-mortem, the company confirmed that based on the tactics, malware, IP addresses, email addresses and blockchain activity, the incident was attributed to hackers connected to North Korea's Lazarus Group. 

“The initial access originated through a compromised employee laptop, from which a legacy credential was exfiltrated,” the company said. “That credential provided access to a snapshot containing production secrets. From there, the attackers were able to escalate their access to our broader infrastructure, including parts of our database and certain cryptocurrency wallets.”

The breach was discovered because they noticed suspicious purchasing patterns with certain suppliers — tipping off that their gift card stock and supply lines were being exploited.

Some company cryptocurrency wallets were drained and funds were transferred to hacker-controlled wallets. 

The statement does not say how much was taken and whether those funds were clawed back. Bitrefill did not respond to requests for comment. The company said it plans to absorb the losses through its operational capital.

Bitrefill claims the hackers were not after their entire customer database and conducted “a limited number of queries consistent with probing to understand what there was to steal, including cryptocurrency and Bitrefill gift card inventory.”

In November, the Justice Department said it was able to seize more than $15 million that had been stolen by Lazarus during four separate incidents in 2023. 

Lazarus is allegedly organized within the North Korean Reconnaissance General Bureau and has stolen billions worth of cryptocurrency over the last nine years, with blockchain monitoring firm Chainalysis saying hacking groups connected to North Korea’s government stole $1.3 billion worth of cryptocurrency across 47 incidents in 2024.

Chainalysis reported that more than $2 billion worth of crypto was taken by North Korean hackers last year. Much of the figure is attributed to the $1.5 billion theft from Dubai-based platform Bybit in February, South Korean officials also accused North Korea of stealing $30 million worth of cryptocurrency from crypto platform Upbit. 

As seen in the attack on Bitrefill, North Korean actors have typically focused on stealing private keys or secrets that grant a person full control over digital assets. 

Since Chainalysis began tracking the figures in 2022, North Korea has stolen $6.8 billion in crypto. The United Nations said in 2024 that it is tracking dozens of incidents over a five-year period that have netted North Korea about $3 billion.