Crypto ATM manufacturer General Bytes hacked, at least $1.5 million stolen
Major crypto ATM manufacturer General Bytes has announced a security breach that has forced it to shut down a majority of its U.S.-based automated teller machines.
A security incident happened on March 17 and 18, the company said over the weekend, and resulted in the theft of at least $1.5 million worth of bitcoin. General Bytes describes it as the "highest" level of breach.
The company calls itself “the world’s largest” crypto ATM manufacturer, with over 15,000 machines in more than 149 countries. Some of the kiosks only allow cash-for-crypto transactions; others are “two-way,” meaning customers can get cash for their digital currency.
According to its founder Karel Kyovsky’s statement detailing the incident, hackers were able to remotely upload their own Java application onto the company's server, exploiting a vulnerability in the master service interface used to upload videos.
“We’ve concluded multiple security audits since 2021, and none of them identified this vulnerability,” Kyovsky said.
At the time of the publication, General Bytes had not responded to The Record’s request for comment.
The incident allowed the attackers to read and decrypt API keys and access funds on exchanges and “hot” cryptocurrency wallets, which are maintained online. They also were able to steal usernames and passwords, and turn off two-factor authentication.
The total amount of stolen crypto funds is unclear. A wallet associated with the attack holds 56 BTC, or nearly $1.5 million, which was received around the time of the attack, according to Blockchair analytics platform.
This is not the first time General Bytes' machines were breached. In August, attackers stole around $16,000 in bitcoin deposited at ATMs, exploiting a vulnerability in the company’s CAS software — a web-based platform for managing fleets of ATMs. The previous incident wasn't as serious because the attackers didn't gain access to databases, passwords, private keys or API keys.
General Bytes urges customers to take immediate action to protect their personal information. The company also encourages users to regenerate new API keys and invalidate old ones.
Daryna Antoniuk
is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.