Bitcoin ATM maker General Bytes shut down its cloud service after discovering a "security hole" that allowed attackers to access users' hot wallets and obtain sensitive information such as passwords and private keys.
Headquartered in Prague, the company has sold more than 15,000 Bitcoin (BTC) ATMs to buyers in more than 149 countries around the world, according to its website.
In a March 18 patch release announcement, the ATM manufacturer issued a warning, explaining that hackers had been able to remotely upload and run Java applications to its terminals via the main service interface, with the aim of stealing user information and sending funds from hot wallets. General Byes founder Karel Kyovsky explained in the announcement that this allows hackers to:
- "The ability to access databases.
- Capable of reading and decrypting API keys used to access hot wallets and exchange funds.
- Send funds from a hot wallet.
- Download usernames, password hashes and turn off 2FA.
- Ability to access terminal event logs and scan for any instances of customers scanning private keys at ATMs. Older versions of ATM software are recording this information. "
The notice revealed that General Bytes' cloud service was compromised, as well as stand-alone servers of other operators. "We've completed multiple security audits since 2021, and none of them found this vulnerability," Kyovsky said. Although the company noted that hackers were able to "send funds from hot wallets," it did not disclose the amount stolen as a result of the breach.
However, General Bytes released details of 41 wallet addresses used in the attack. On-chain data shows that one of the wallets made multiple transactions with a total balance of 56 BTC, worth over $1.54 million at current prices. Another wallet showed multiple ether (ETH) transactions received for a total of 21.82 ETH, worth about $36,000 at current prices.
Cointelegraph reached out to General Bytes for confirmation, but did not hear back before publication. The company has urgently advised BTC ATM operators to install their own standalone servers and released two patches for their Crypto Application Server (CAS), which manages ATM operations. "Place your CAS behind a firewall and VPN. Endpoints should also connect to the CAS via VPN," Kyovsky wrote.
"Also, consider that all your users' passwords, API keys for exchanges and hot wallets have been compromised. Please invalidate them and generate new keys and passwords."
General Bytes' servers were compromised in a zero-day attack last September, allowing hackers to make themselves the default administrator and modify settings so that all funds were transferred.
