Bitcoin ATM maker General Bytes shuts down its cloud service after hacker identifies vulnerability

Quick Take

  • A hacker identified a security vulnerability in General Bytes’ bitcoin ATMs, which enabled them to read and decrypt API keys.
  • The company issued a high severity security incident warning and patch on its Confluence page. It is also shutting down its cloud service.

A hacker was able to upload their own Java application onto General Bytes' bitcoin ATMs, which enabled the attacker to read and decrypt API keys to access funds on exchanges and hot wallets.

The company posted a high severity security incident warning on its Confluence page on March 18. The attacker was able to access the database, download user names and passwords as well as turn off two-factor authentication and scan terminal event logs for instances when customers scanned private keys in the ATM, the company said.

"We urge all our customers to take immediate action to protect their funds and personal information and carefully read the security bulletin listed here," the company said on Twitter.

How did it happen?

The hacker was able to mount the attack by uploading their own Java application and running it remotely, using the master service interface, which is used in bitcoin ATMs to upload videos to the server, the company said.

Both General Bytes' cloud service and standalone servers were compromised and as a result the company is closing down its cloud service.

"It is theoretically (and practically) impossible to secure a system granting access to multiple operators at the same time where some of them are bad actors," said the company in the post, adding that it would provide support to customers to transition from the cloud service to running their own standalone servers.

The company published steps to implement the security fix. It also said that in multiple audits that had been completed since 2021 it had not identified this vulnerability.

THE SCOOP

Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and Privacy Policy
By signing-up you agree to our Terms of Service and Privacy Policy

$1.5 million of bitcoin stolen

The security post also listed the crypto addresses and APIs used by the attacker. On-chain analysis shows a balance of 56 bitcoin ($1.5 million) in the bitcoin wallet linked to the attacker. 

This isn't the first time General Bytes has experienced an attack. In August of last year, a hacker was able to steal funds from customers making deposits at its bitcoin ATMs. In that case, the hacker modified the crypto settings of two-way machines with their wallet settings and the invalid payment address setting.

General Bytes website states that it has sold more than 15,000 machines in over 140 countries.

The company didn't immediately respond to request for comment.


© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

About Author

Kari McMahon is a deals reporter at The Block covering startup fundraises, M&A, FinTech and the VC industry. Prior to joining The Block, Kari covered investing and crypto at Insider and worked as a python software developer for several years. For inquiries or tips, email [email protected]

Editor

To contact the editor of this story:
Mike Millard at
[email protected]