Attackers hit Bitcoin ATMs to steal $1.5 million in crypto cash

Unidentified miscreants have siphoned cryptocurrency valued at more than $1.5 million from Bitcoin ATMs by exploiting an unknown flaw in digicash delivery systems.

According to General Bytes, the outfit that sold the ATMs and had managed some of them with a cloud service, the attackers used an interface designed to upload videos to instead inject a malicious Java application, and then subverted ATM user privileges.

They drained at least 56 Bitcoin – about $1.5 million as of publication time – from crypto wallets. General Bytes issued a patch 15 hours after discovering the intrusion, but by then the digital coins were gone, leaving an unknown number of victims on the hook for the lost money.

"The entire team has been working around the clock to collect all data regarding the security breach and is continuously working to resolve all cases to help clients back online and continue to operate their ATMs as soon as possible," General Bytes explained in a statement.

General Bytes notified companies that bought its ATMs to shut down their systems. The supplier, headquartered in Prague with a US office in Bradenton, Florida, sells and operates five different models of crypto ATM.

People use them to exchange Bitcoin and other currencies. In all, General Bytes says it has sold more than 15,000 terminals in 149 countries supporting more than 180 currencies. The systems have performed more than 15.2 million transactions.

The attack

Businesses buying the ATMs connect them to a crypto application server (CAS) managed by the customer themselves or – until now – General Bytes through cloud service provider DigitalOcean.

In the breach over the weekend, the attackers exploited a vulnerability that had gone undetected despite multiple security audits since 2021. The baddies scanned DigitalOcean's IP address space and found Crypto Application Server (CAS) services on port 7741 – including General Bytes' cloud service and other customers running their ATMs on DigitalOcean.

"Using this security vulnerability, the attacker uploaded his application directly to the application server used by the admin interface," the chastened ATM vendor wrote. "The application server was, by default, configured to start applications in its deployment folder."

The miscreants accessed the database, read and decrypted API keys and exchanges, and drained digital coins from wallets. They could also download usernames and password hashes, turn off multifactor authentication, access terminal event logs, and search for instances where users scanned private keys at the terminals.

This is the second such attack on General Bytes, which had digital coins stolen in August 2022 by miscreants exploiting a flaw in the CAS.

The problem with hot wallets

Hot wallets present a particular problem in the high-risk crypto market. Wallets would be safer if disconnected from the internet, but users rely on them for quick transactions, which calls for connectivity.

"The entire purpose of hot wallets is to provide an immediate ability to make transactions," John Bambenek, principal threat hunter at cybersecurity firm Netenrich, told The Register. "That said, the security of any wallet is tied to the security of the private key. If someone gets that – which can be copied – it's game over. All the layers of protection against fraud don't and can't apply to crypto."

General Bytes said it is shutting down its cloud services, noting it is "theoretically (and practically) impossible to secure a system granting access to multiple operators at the same time where some of them are bad actors."

All customers now will manage their own terminals using their own servers. General Bytes will help businesses migrate their data from the cloud to their standalone servers. It's also urging customers to keep their CAS behind a firewall and VPN to prevent other attackers getting into them through the internet.

They also should assume all their users' passwords and API keys to exchanges and hot wallets are compromised.

The Register has asked General Bytes for further comment and will update if more information comes in.

Crypto theft is a big business that is only growing bigger. According to blockchain biz Chainalysis, $3.8 billion in digital coins were stolen in 2022, compared with $500 million two years earlier. Mike Parkin, senior technical evangelist at risk remediation vendor Vulcan Cyber, said there is only one way to really reduce the risk that comes with cryptocurrency: Get out of it altogether.

"It may not be the answer people want to hear, but crypto is still immature, volatile, unregulated, and subject to new and creative cyber criminal attacks," Parkin told The Register. "Do you really want your money in this space?" ®