Threat Management, Endpoint/Device Security, Breach

Zero-day bug exploited to steal cryptocurrency from Bitcoin ATM maker

A blue ATM machine for Bitcoin is seen
A Bitcoin ATM is seen June 13, 2022, in the Brooklyn Heights neighborhood of New York City. (Photo by Michael M. Santiago/Getty Images)

Hackers were able to steal cryptocurrency from customers via a zero-day bug in Bitcoin ATMs that allowed them to create admin user profiles.

Bleeping Computer reported that Bitcoin ATM manufacturer General Bytes is warning operators to not operate servers until they’ve patched their systems.

“The attacker was able to create an admin user remotely via CAS [Crypto Application Server] administrative interface via a URL call on the page that is used for the default installation on the server and creating the first administration user,” read the Aug. 18 General Bytes security update on its wiki.

The attacker was able to have payments forwarded to their own crypto wallets on a number of two-way machines when customers sent invalid payments to BATMs, General Bytes said in the update. The security update also noted that all affected operators were notified.

The General Bytes also highligthed that the vulnerability has been present since 2020, but the attack began three days after General Bytes posted support for Ukraine on its terminals. 

“We’ve concluded multiple security audits since 2020, and none of them identified this vulnerability. The attack started on the 3rd day after we publicly announced the ‘Help Ukraine’ feature on our BATMs,” they wrote.

Roger Grimes, data-driven defense evangelist at cybersecurity firm KnowBe4, said vulnerabilities where internet accessible default installed admin consoles is not uncommon, and suggested disabling default admin install consoles and protect remote access to the ATM by VPN or multi-factor authentication.

"Unfortunately, because it was left unprotected and exploitable, people's cryptocurrency holdings have likely been stolen forever," said Grimes.

Stephen Weigand

Stephen Weigand is managing editor and production manager for SC Media. He has worked for news media in Washington, D.C., covering military and defense issues, as well as federal IT. He is based in the Seattle area.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.