Person using an ATM

Zero-day spells disaster for Bitcoin ATM

Bitcoin ATMs have experienced a severe bout of cash drain after a zero-day bug was exploited to steal a total of $1.5 million in digital currency. The ATMs, located in various convenience stores, function along the lines of regular banking ATMs except your dealings are all in the cryptocurrency realm.

As Ars Technica notes, a particular feature of the affected ATMs is the ability to upload video. It’s not mentioned what these videos are used for (presumably security cameras), but the master server interface allowing for the video uploads is where things went horribly wrong.

From the General Bytes statement regarding the March 18 incident:

The GENERAL BYTES Cloud service and other standalone servers run by operators suffered security breaches. We noticed the first signs of a break-in on Friday night, right after midnight on Saturday, 18 March (UTC+1). We notified customers to shut down their CAS servers as soon as possible. The attacker could upload his java application remotely via the master service interface used by terminals to upload videos and run it using BATM user privileges. As a result, the attacker could send funds from hot wallets, and at least 56 Bitcoins were stolen before we could release the patch. The patch was released within 15 hours.

To make use of the exploit, the attacker uploaded a custom made application to the ATM application server used by the administration interface. In a nod to the evergreen security tip “Don’t allow things to autorun if you don’t need them to”, the application server allowed applications to start by default.

With this in place, the attacker was able to perform the below:

  • Ability to access the database.
  • Ability to read and decrypt API keys to access funds in hot wallets and exchanges.
  • Send funds from hot wallets.
  • Download user names and their password hashes, and turn off 2FA.
  • Ability to access terminal event logs, which can include private keys at the ATM.

56 bitcoins are currently worth a cool $1.5 million. It is very unlikely all of the stolen coins belonged to one person, but this is scant consolation for anyone affected. For now, General Bytes is collecting information on everyone affected to “validate losses”. It remains to be seen if anyone is able to recover their funds, but losing money in any cryptocurrency scenario is always a very risky business because  they are generally, by design, unable to roll back fraudulent transactions.

Interestingly, the affected company has a call to any security companies and individuals who feel they can assist in making the product safer.

Keeping your hot wallet safe

Your cryptocurrency wallet type is an article all to its own, but in most cases you’re going to have a wallet which is hot or cold. A cold wallet is not connected to the Internet and is therefore the safest possible choice. A hot wallet comes with some form of connectivity built in, which is much more convenient. You’re able to send funds, for example, and engage with cryptocurrency exchanges. In this case, the compromised wallets are considered to be hot. Without this functionality, the ATM would be rather useless for the user’s needs.

You can’t prepare for every eventuality. If an exchange (or, in this case, a connected ATM) is compromised then your funds could still vanish no matter what security plans you have in place. Even so, here’s what you can do from your end to keep things secure.

  • Enable two-factor authentication. If it’s available for your flavour of wallet, then make sure to turn it on. Hardware keys are safest, then authenticator apps, and lastly SMS.
  • Keep your recovery passphrase safe. Never hand over your recovery phrase to any site or individual, this is a common scam deployed by phishers.
  • Be sceptical of airdrops. This is another way to entice potential victims with phishing tactics. As per the above, asking for your recovery phrase is the ultimate aim.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.



Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.