Over $1.5 million in crypto has been stolen via a General Bytes Bitcoin ATM exploit. Hackers abused a zero-day flaw in order to steal the funds.

General Bytes Bitcoin ATMs Were Hacked

On March 18, 2023, major Bitcoin ATM provider General Bytes experienced a security incident that led to the theft of over $1.5 million in Bitcoin.

General Bytes has sold over 15,000 Bitcoin ATMs in 149 countries (according to its official website), and is based in the Czech Republic. On March 20, two days after the security incident, General Bytes released a blog post informing the public of the hack.

In the General Bytes blog post, it was stated that the attacker behind the exploit "could upload his java application remotely via the master service interface used by terminals to upload videos and run it using BATM user privileges."

The attacker "scanned the Digital Ocean cloud hosting IP address space and identified running CAS services on ports 7741, including the General Bytes Cloud service and other GB ATM operators running their servers on Digital Ocean."

The malicious operator exploited a zero-day flaw within General Bytes' master service interface in order to upload the java application.

As a result of the zero-day exploit, the attacker was able to do the following:

  • Access the database.
  • Read and decrypt API keys to access funds held in exchanges and hot wallets.
  • Withdraw funds from the targeted hot wallets.
  • Download usernames and password hashes.
  • Disable two-factor authentication.
  • Access terminal event logs and detect instances of users scanning their private key at a General Bytes ATM (which older versions of General Bytes' software would log).

At least 56 Bitcoins were stolen in the attack, amounting to over $1.5 million at the time of writing.

The Exploited Vulnerability Has Finally Been Patched

graphic of blue lock

It took General Bytes 15 hours to release a patch for the vulnerability, though the hack had already been successfully executed at this point.

General Bytes stated in its blog post regarding the hack that, in the multiple security audits conducted by the company since 2021, the exploited software vulnerability was never detected.

This marks the second General Bytes security incident over the past year, with a vulnerability being exploited in August 2022 in order to once again steal funds.

General Bytes Closes Its Cloud Service

In the aforementioned blog post, General Bytes notified readers that it would be closing its cloud service. From now on, the ATM provider will require its customers to access its ATMs via stand-alone servers.

General Bytes also stated that customers have already been provided information on this new setup, and hopes that users will be understanding of the change.

Crypto Crime Remains Prevalent

This General Bytes Bitcoin ATM hack is just another of the thousands of crypto crimes that have taken place over recent years. Cybercriminals continue to focus on this industry to steal data and funds, with cryptocurrency providing an extra layer of anonymity.

Though detection and prevention methods are improving, there are still numerous ways through which organizations and individuals can lose their assets in crypto-based cyberattacks.