A Bitcoin ATM is seen June 13, 2022, in the Brooklyn Heights neighborhood of New York City. (Photo by Michael M. Santiago/Getty Images)

Hackers were able to steal cryptocurrency from customers via a zero-day bug in Bitcoin ATMs that allowed them to create admin user profiles.

Bleeping Computer reported that Bitcoin ATM manufacturer General Bytes is warning operators to not operate servers until they’ve patched their systems.

“The attacker was able to create an admin user remotely via CAS [Crypto Application Server] administrative interface via a URL call on the page that is used for the default installation on the server and creating the first administration user,” read the Aug. 18 General Bytes security update on its wiki.

The attacker was able to have payments forwarded to their own crypto wallets on a number of two-way machines when customers sent invalid payments to BATMs, General Bytes said in the update. The security update also noted that all affected operators were notified.

The General Bytes also highligthed that the vulnerability has been present since 2020, but the attack began three days after General Bytes posted support for Ukraine on its terminals. 

“We’ve concluded multiple security audits since 2020, and none of them identified this vulnerability. The attack started on the 3rd day after we publicly announced the ‘Help Ukraine’ feature on our BATMs,” they wrote.

Roger Grimes, data-driven defense evangelist at cybersecurity firm KnowBe4, said vulnerabilities where internet accessible default installed admin consoles is not uncommon, and suggested disabling default admin install consoles and protect remote access to the ATM by VPN or multi-factor authentication.

"Unfortunately, because it was left unprotected and exploitable, people's cryptocurrency holdings have likely been stolen forever," said Grimes.