Bitrefill says a March 1, 2026 intrusion showed similarities to past DPRK Lazarus/Bluenoroff attacks on cryptocurrency companies, citing modus operandi, malware, on-chain tracing, and reused IP and email addresses. Initial access came from a compromised employee laptop where a legacy credential was stolen and then used to reach a snapshot containing production secrets. The attackers expanded into broader infrastructure, parts of the database, and certain cryptocurrency wallets, while suspicious supplier purchasing patterns and hot-wallet draining triggered containment. Bitrefill reports that about 18,500 purchase records were accessed, including limited customer data such as email addresses, crypto payment addresses, IP metadata, and potentially names for roughly 1,000 purchases where encryption keys may also have been exposed. The incident is relevant to DPRK-focused tracking because it combines crypto-sector targeting, credential theft, secrets exposure, supplier inventory abuse, and wallet theft in an operation the victim says resembles Lazarus/Bluenoroff activity.