Bitcoin ATM maker quits cloud service after hot wallet breach

General Bytes, a maker of Bitcoin ATMs, has shut down its cloud services after the discovery of a “security flaw” that enabled an attacker to access customers’ hot wallets and obtain personal data, such as passwords and private keys.

According to the company’s website, it has sold more than 15,000 bitcoin ATMs to over 149 different countries.

In a patch release advisory dated March 18, the ATM maker warned that a hacker was able to remotely upload and execute a Java program into its terminals through the master service interface to steal user information and transfer cash from hot wallets.

The inventor of General Byes, Karel Kyovsky, detailed in the bulletin how this enabled the hacker to do the following:

• “Accessibility to the database.
• The ability to read and decrypt API keys is required for money access in hot wallets and cryptocurrency exchanges.
• Transfer money with hot wallets.
• Obtain user names and their hashed passwords, then disable 2FA.
• Access to terminal event logs and the capacity to search for instances in which users scanned a private key at an ATM. Earlier versions of ATM software were storing this data.”
• The notification discloses that both General Bytes’ cloud service and other operators’ standalone servers were compromised.

Kyovsky said, “We have completed many security assessments since 2021, and none of them found this issue.”

While the firm said that the hacker was able to “transfer cash from hot wallets,” it did not reveal the total amount that was taken.

Nevertheless, General Bytes disclosed the 41 wallet addresses used in the hack. On-chain data reveals several transfers into one of the wallets, resulting in a total balance of 56 BTC, which at current pricing is worth over $1.54 million.

Another wallet has many Ether (ETH) transactions totaling 21,82 ETH, valued at around $36,000 at current pricing.

Two fixes have been deployed for the company’s Crypto Application Server (CAS), which handles the ATM’s functionality.

“Please safeguard your CAS with a firewall an nod VPN.” Moreover, terminals should connect to CAS through a VPN, Kyovsky said.

“Consider that all of your users’ passwords and API keys to exchanges and hot wallets have been hacked. Kindly render them invalid and produce new keys and passwords.”

In September last year, General Bytes’ servers were penetrated by a zero-day exploit that allowed hackers to become default administrators and change settings such that all cash was stolen.