Connect with us

Hi, what are you looking for?



Millions Stolen in Hack at Cryptocurrency ATM Manufacturer General Bytes

Cryptocurrency ATM maker General Bytes discloses a security incident resulting in the theft of millions of dollars’ worth of crypto-coins.

Cryptocurrency ATM manufacturer General Bytes over the weekend disclosed a security incident that resulted in the theft of millions of dollars’ worth of funds.

The attackers, the company says, exploited a vulnerability in the master service interface that Bitcoin ATMs use to upload videos, which allowed them to upload a JavaScript script and execute it with batm user privileges.

“The attacker scanned the Digital Ocean cloud hosting IP address space and identified running CAS services on ports 7741, including the General Bytes Cloud service and other GB ATM operators running their servers on Digital Ocean (our recommended cloud hosting provider),” the company says.

The code execution provided the attackers with access to the database and access to API keys for accessing funds in hot wallets and exchanges.

The attackers were then able to transfer funds from hot wallets, steal account usernames and password hashes, and disable two-factor authentication.

Furthermore, the attackers gained the “ability to access terminal event logs and scan for any instance where customers scanned private key at the ATM”, information that was logged by older versions of ATM software.

“We urge all our customers to take immediate action to protect their funds and personal information,” General Bytes tweeted on March 18. The incident prompted most ATM operators in the US to suspend operations.

Advertisement. Scroll to continue reading.

In a security bulletin detailing the incident, the company has shared information on the steps customers should take to secure their GB ATM servers (CAS) and underlined that even those that might not have been impacted by the incident should implement the recommended security measures.

“Please keep your CAS behind a firewall and VPN. Terminals should also connect to CAS via VPN.  With VPN/Firewall attackers from open internet cannot access your server and exploit it. If your server was breached please reinstall the whole server including operation system,” the company notes.

The crypto ATM maker released a CAS security fix and urged customers to consider all user passwords and API keys to exchanges and hot wallets as being compromised and to change them. The company also shared the crypto addresses used in the hack and the attackers’ IP addresses.

While General Bytes did not share information on the number of impacted ATM operators and users, transaction logs show that the attackers stole roughly $1.5 million in Bitcoin (around 56 BTC) from roughly 15 operators. Funds were stolen in dozens of other cryptocurrencies as well.

The company said that, despite several security audits conducted since 2021, the vulnerability exploited in this attack was not identified prior to the incident.

Responding to a SecurityWeek inquiry, General Bytes said: 

“The issue was addressed in a recent software update. However, operators are still implementing the solution. Additional placing of their infrastructure behind VPNs takes time. Operators that had their infrastructure behind VPN were not affected. Operators using the cloud our service are now installing self hosted servers which takes longer. 

We are closing our cloud service as we don’t see that as a safe solution for the future. ATM operators need to operate servers on their own infrastructure.”

General Bytes also said it has yet to determine the extent of the theft: “We don’t have the final numbers yet. We are still collecting the information from operators. As of now we still work with damage of around 56 BTC.”

Related: Dero, Monero Cryptojackers Fighting for Same Kubernetes Clusters

Related: Fraudulent “CryptoRom” Apps Slip Through Apple and Google App Store Review Process

Related: Cyber Insights 2023 | Quantum Computing and the Coming Cryptopocalypse

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...