Bitrefill Cyberattack Exposes 18,500 Records and Hot Wallets

Bitrefill cyberattack on March 1, 2026 followed a compromised employee laptop, which enabled attackers to reach production keys and steal funds from multiple hot wallets. The incident exposed about 18,500 transaction/purchase records. A leaked dataset included email addresses, crypto payment addresses, partial IP data, and full names in roughly 1,000 records. Bitrefill says the data was encrypted, but warns the attackers may have obtained decryption keys, so all compromised records are treated as potentially at risk. Bitrefill stressed that KYC information was not impacted because identity verification is stored off-platform with a third-party provider. The company also said attackers did not access user accounts or obtain financial verification documents. It attributed the intrusion to the Lazarus Group, reportedly using legacy login credentials and an unused access credential to move laterally inside its infrastructure, including suspicious orders routed through in-platform gift card suppliers. For traders, this is primarily a platform security event: Bitrefill cyberattack claims wallet exposure and operational losses, but it does not indicate broad compromise of major on-chain assets. Services were taken offline and then largely restored by March 17 after an internal review and security overhaul, with the firm covering losses from its own funds and improving controls, logging, and incident response.