Cryptocurrency automated teller machine (ATM) manufacturer General Bytes suffered a security breach on March 17, enabling an attacker to access funds in hot wallets and exchanges, steal usernames and passwords, and turn off two-factor authentication. The attacker was able to remotely upload their own Java application using the master service interface and had access to BATM user privileges. The incident affected the company’s cloud services as well as standalone servers of other operators. General Bytes has produced 9,505 cryptocurrency ATMs globally, with thousands located in the United States.
The Breach Severity
General Bytes described the breach as “highest” severity, with the hacker being able to siphon off 56.28 bitcoins worth approximately $1.5 million, and liquidate other cryptocurrencies such as ETH, USDT, BUSD, ADA, DAI, DOGE, SHIB, and TRX. The company confirmed that the hacker was also able to access the database, read and decrypt API keys, and download usernames and password hashes.
Implications for Operators
Following the security breach, all U.S. operators using General Bytes machines were shut down nationwide for the evening, and servers would have to be rebuilt from the ground up, which can be a lengthy process. General Bytes has started transitioning cryptocurrency ATM operators to self-hosted servers and is discontinuing its cloud service. The company stated that it had conducted multiple security audits since 2021, but none of them had identified this vulnerability.
IP Addresses Used in Attack
General Bytes disclosed the addresses used in the attack and three IP addresses used by the attacker. While some digital currencies were transferred to different locations, the bitcoin address holding the 56.28 BTC has not moved the funds since its last transaction on March 18. One U.S.-based cryptocurrency ATM operator confirmed that their firm’s system was hacked, but the company runs a full node that is “locked down enough” to prevent the attacker from accessing funds.
