North Korean Lazarus Group Breaches Crypto Platform Bitrefill, Exposing 18,500 Purchase Records
What Happened – On March 1 2024, the cryptocurrency‑focused e‑commerce platform Bitrefill was infiltrated by actors linked to North Korea’s Lazarus Group. Attackers leveraged a compromised employee laptop to harvest a legacy credential, which they used to access production databases and cryptocurrency wallets, exfiltrating roughly 18,500 purchase records (email, crypto payment addresses, IP metadata) and draining several wallets.
Why It Matters for TPRM –
- Exposure of payment‑related data heightens fraud risk for downstream merchants and end‑users.
- Compromise of a crypto‑payment provider signals supply‑chain vulnerability for any organization that integrates Bitrefill’s APIs or gift‑card services.
- Successful credential theft underscores the need for stringent identity‑and‑access controls across third‑party vendors.
Who Is Affected – Financial‑services firms, crypto‑payment processors, e‑commerce merchants (e.g., Amazon, Apple, Uber, Walmart) that rely on Bitrefill’s platform.
Recommended Actions – Review Bitrefill’s security posture and contractual controls; verify MFA and credential‑rotation policies; audit transaction monitoring for anomalous activity; consider alternative vendors or supplemental controls for crypto‑payment workflows.
Technical Notes – Initial foothold gained via a compromised employee laptop; legacy credential exfiltrated and used to pivot into production systems. Attackers performed limited database queries to harvest purchase records and accessed cryptocurrency wallets, resulting in fund transfers to attacker‑controlled addresses. No public disclosure of the total financial loss. Source: The Record