Cybercriminals Stole over $1.6 Million in Crypto Assets from General Bytes Bitcoin ATMs

A zero-day vulnerability in General Bytes Bitcoin ATMs’ software allowed perpetrators to steal roughly $1.6 million worth of assets from hot wallets in a high-profile crypto heist.

The attackers reportedly leveraged a flaw in the terminals’ master service interface to upload a rogue java application remotely. Although the company failed to disclose the exact amount of crypto assets stolen by the threat actors, on-chain analysis tools reveal that 56.283 BTC, 21.823 ETH, and 1,219.183 LTC, worth over $1.6 million, went missing.

According to General Bytes’ security advisory, the attacker “scanned the Digital Ocean cloud hosting IP address space and identified running CAS services on ports 7741, including the General Bytes Cloud service and other GB ATM operators running their servers on Digital Ocean (our recommended cloud hosting provider).”

The exploit granted threat actors several privileges on the compromised systems, including:

• Full database access
• Read and decrypt hot wallets and exchange API keys
• Disable two-factor authentication (2FA)
• Retrieve user credentials (usernames and passwords)
• Transfer hot wallet funds
• Access terminal event logs
• Access old logs containing private key user scans at the ATM

“Using this security vulnerability, (the) attacker uploaded his own application directly to (the) application server used by (the) admin interface,” according to the advisory. The “application server was by default configured to start applications in its deployment folder.”

Although the company claims to have run several security audits since 2021, the vulnerability has eluded digital forensics. General Bytes included an extensive list of crypto addresses and a few IP addresses the attacker used.

The report includes detailed information to help operators establish whether their server was breached, as well as a series of mitigation recommendations. General Bytes urges operators who doubt they’ve been breached to take several measures, including:

• Changing all user passwords
• Invalidating old API keys and generating new ones
• Treat all users’ CAS (crypto ATM server) passwords as well as hot wallets and exchange API keys as if they were compromised
• Employ firewalls and VPNs to protect CAS and terminals