Skip to content

Cybercriminals steal $1.5 million in crypto cash from Bitcoin ATMs

  • by
  • 3 min read

Bitcoin ATMs sold and managed by General Bytes were hacked into by attackers using an interface designed to upload videos to inject a malicious Java payload which stole at least 56 Bitcoin (roughly $1.5 million at the time of writing) from crypto wallets on March 17. The first signs of intrusion were discovered on March 18 and General Bytes issued a patch fixing the vulnerability within 15 hours, but an unknown number of crypto owners had already lost their money by then. 

General Bytes sold these ATMs and monitored some of them with a cloud service. According to the company’s official statement, the attacker(s) identified a vulnerability in the master service interface used by Bitcoin ATMs to upload videos to the server. The attacker then scanned the Digital Ocean cloud hosting IP address space and identified running CAS services on port 7741. This included the General Bytes Cloud service and other company ATM operators running their servers on Digital Ocean. 

Finally, by exploiting the vulnerability the attacker was able to upload a custom application directly to the application server used by the admin interface. The application server was by default configured to start applications in its deployment folder, giving the attacker BATM access and the ability to transfer funds from hot wallets.

Can cryptocurrency replace fiat currency? Why does its value change?

Overall, exploiting the now-patched vulnerability gave the attacker the ability to do the following tasks:

  • Access databases
  • Read and decrypt API keys to access funds in hot wallets and exchanges
  • Transfer funds from hot wallets
  • Download usernames and password hashes and turn off 2FA
  • Access terminal event logs and scan for instances where customers scanned private keys at the ATM. This information was logged by an older version of the ATM firmware. 

The company further added that it conducted several security audits since 2021, but none of them revealed the vulnerability. It then asked the customers to shut down their CAS servers as soon as possible as the attacker could upload their application remotely via the master service interface and has strongly advised against restarting them before applying the recommended security fixes

This is General Byte’s second breach in seven months and moving forward, the company is shuttering its cloud service, asking clients to manage their own ATMs using their own standalone servers. Customers have already been provided with instructions and guidance on the migration with the company hoping they “understand it’s better for all of us”. Additionally, General Bytes is also collecting data from its clients to validate losses along with running an internal investigation. 

In the News: Lionsgate leaks 20GB of server logs with 30 million entries

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: