Cyble says Bitrefill attributed a March 1, 2026 intrusion to actors linked to Lazarus Group, citing malware similarities, reused IP addresses, email patterns, and blockchain tracing. The attackers allegedly entered through a compromised employee laptop, used a legacy credential to reach production secrets, moved laterally, queried databases, drained hot wallets, and abused the gift card supply chain. Bitrefill reported exposure of about 18,500 purchase records, including email addresses, crypto payment addresses, IP metadata, and potentially encrypted customer names for roughly 1,000 transactions if keys were compromised. The incident reinforces DPRK-linked operators' focus on cryptocurrency platforms, where credential abuse, hot-wallet access, and supplier workflows can be converted quickly into revenue.