North Korea’s BlueNoroff group (Lazarus/APT38) breached Bitrefill’s crypto gift card platform in early March 2026 via a single compromised employee laptop, pivoting to production secrets, cryptocurrency hot wallets, and gift card inventory systems and exfiltrating approximately 18,500 customer purchase records. The attack exploited credential and access control failures including legacy credential reuse and co-located decryption keys, with possible theft of those keys meaning actual data exposure likely exceeds the raw record count. Crypto-adjacent and financial organizations should treat this as a high-fidelity threat signal, audit endpoint access to production credential stores, rotate any secrets accessible from employee workstations, and implement secrets management solutions with short-lived dynamic credentials as a structural remediation.