Some users of General Bytes bitcoin ATMs may have recently found crypto missing from their accounts, as the company disclosed that hackers were able to exploit a vulnerability in units that were connected to the Digital Ocean cloud platform.
The issue apparently did not impact all of the bitcoin ATMs (of which there are some 15,000 across the world), and would not affect those that have standalone management systems. At least 15 operators were compromised, however, and likely millions in various currencies was lost.
$1.5 Million in crypto confirmed stolen, but count continues
General Bytes says that it can confirm the theft of about 56 BTC, or about $1.5 million in total. However, the bitcoin ATMs deal in over 60 types of crypto and the full scope of the theft is still being investigated.
The weakness was in some sort of video upload system included with the bitcoin ATMs, the purpose of which still appears to be unknown. The attackers were able to hijack the feature and upload malicious JavaScript instead of video. General Bytes maintains that it has been conducting regular security audits since the ATMs went on the market, but somehow this flaw evaded detection until it was exploited.
General Bytes says that it is no longer confident that it can secure cloud-connected ATMs and will be deprecating the option, requiring bitcoin ATM owners to switch to a standalone system. The company had previously recommended Digital Ocean as a solution to owners. The company issued a statement indicating that it will help these operators to transition with technical assistance. General Bytes had previously suffered a zero-day breach in August 2022 that also resulted in the theft of crypto funds from ATM users.
Attackers were able to access wallets, passwords of bitcoin ATM users
The exploit appears to have given the attackers a very high level of access to the impacted bitcoin ATMs, allowing them to intercept private API keys and directly access user crypto wallets. This includes disabling two-factor authentication and being able to view and change user passwords.
Though General Bytes took some responsibility for the crypto thefts, they also appeared to place some blame on the impacted bitcoin ATM operators by saying that these devices were not protected by firewalls and VPNs. The company’s statement on the incident indicated that none of the kiosks are supposed to be connected to the internet without a firewall and a VPN in place.
A relatively small amount of Ethereum ($39,000) that was stolen appears to have already been converted by the thieves, but there is still some hope that others will regain their lost crypto. The bulk of the stolen BTC appears to be sitting in the wallet used for the theft. Given that General Bytes is one of the biggest names in the industry, this incident could very well have a major impact on the market for bitcoin ATMs.