Bitrefill blames North Korean hackers for March 1 exploit, commits to cover losses

Bitrefill has released a comprehensive report on a security breach that occurred on March 1, and it believes it to be the work of the North Korean hacking group called the Lazarus Group. 

The Lazarus Group was also responsible for the largest single heist in crypto history when it hit Bybit early last year for more than $1 billion.

The company was transparent about how the incident occurred, but it did not disclose the exact amount stolen. Bitrefill claims its network was accessed through the compromised laptop of an employee, resulting in several hot wallets being drained. 

Did Bitrefill hide that it got hacked?  

Bitrefill has released a comprehensive post-mortem regarding a security breach that began on March 1. The company formally blamed the attack on the North Korean hacking group known as Lazarus Group or Bluenoroff because of the evidence it examined, based on the specific malware used, the modus operandi of the attackers, on-chain tracing of stolen funds, and the reuse of specific IP and email addresses previously linked to North Korean operations.

The incident began when an employee’s laptop was compromised and used as an initial point of entry for the hackers to gain access to a legacy credential. This credential granted the attackers access to a snapshot of the company’s systems that contained production secrets. 

With these secrets in hand, the Lazarus Group was then able to spread its access across Bitrefill’s infrastructure. They eventually reached parts of the company database and several cryptocurrency hot wallets.

Bitrefill’s security team first noticed the breach through “suspicious purchasing patterns” involving their suppliers. The attackers were exploiting the company’s gift card stock and supply lines. 

Simultaneously, the company realized that funds were being drained from their hot wallets and moved to wallets controlled by the attackers. 

In response, Bitrefill immediately took all systems offline to contain the threat, but due to the fact that the company’s global e-commerce network has thousands of products and dozens of suppliers, the process of safely shutting down and rebooting the infrastructure took over two weeks. 

How much was stolen during the Bitrefill breach?

Bitrefill’s investigation revealed that the hackers were not very interested in stealing customer data; not that they would have been able to. The company emphasized that its business model is designed to store very little personal information. It does not require mandatory “Know Your Customer” (KYC) documentation for most users, and data provided for higher-tier verification is managed by an external provider and was not stored on the systems that were breached.

However, the attackers did access approximately 18,500 purchase records. These records included customer email addresses, cryptocurrency payment addresses, and metadata such as IP addresses. 

About 1,000 of Bitrefill’s customers who had to provide names for specific products had their data encrypted. However, because the hackers may have accessed the encryption keys, Bitrefill is treating that data as potentially compromised and has already emailed those affected.

Regarding financial losses, Bitrefill has announced that it will absorb the impact. Although hot wallets were drained, the company stated it remains well-funded and has been profitable for several years. All user balances remain safe and unaffected. 

Bitrefill worked with several high-profile security entities, including Zeroshadow, SEAL Org, and the Recoveris Team to map the movement of the stolen funds on the blockchain. They also assisted in the forensic cleanup of the company’s servers. 

Bitrefill has since tightened internal access controls to ensure a single compromise cannot lead to a full system breach. The company also improved its shutdown procedures to react faster to suspicious database requests.

The company also stated it is continuing to conduct thorough pentests (penetration tests) with external experts to find any remaining vulnerabilities. Currently, almost all services, including payments, stock replenishment, and account features have returned to normal.