- Hackers managed to divert funds from General Bytes Bitcoin ATMs recently
- The attackers created admin accounts for themselves and stole user bitcoin
- General Bytes hasn’t revealed how much bitcoin was taken
Hackers managed to infiltrate the servers of Bitcoin ATM manufacturer General Bytes recently and divert funds to their own wallets. The amount of funds stolen and the number of ATMs compromised wasn’t disclosed by the company, which operates 8,827 machines worldwide, but General Bytes notes that the attack came on the third day after it announced a ‘Help Ukraine’ feature on ATMs, with hackers seemingly hoping for a charity windfall. Kraken Security Labs revealed last year that the type of machines targeted were riddled with security flaws, including a possible admin takeover.
User Funds Diverted
General Bytes reported the incident last week, releasing a security notification on its website to say that the hackers had managed to update the software on its bidirectional machines that allowed them to create a new default admin user and use it to divert coins sent to the ATM to their own wallets.
Bidirectional ATMs (or two-way), allow users to convert cash to bitcoin and bitcoin to cash, as opposed to the first generation of machines which only allows cash to bitcoin conversions. General Bytes has some 7,000 bidirectional machines installed in the USA, but seeing as it is up to individual operators to update the software, it is unknown how many machines were affected by the hack.
Hackers Created Admin Account
General Bytes stated that the hackers were able to create a new admin account and divert funds to themselves, but were very keen to reassure operators that access to the host operation system, host file system and database were not gained.
Users will also be relieved to know that the hackers didn’t gain access to any passwords, password hashes, salts, private keys or API keys. However, given that some users may well have lost bitcoin to the hackers because of the vulnerability, it is hoped that General Bytes will refund their losses, although this was not stated in the update.
Kraken Predicted Security Flaws
This news shouldn’t come as a surprise given that last year Kraken Security Labs discovered a multitude of flaws in General Bytes’ bidirectional Bitcoin ATMs, with one attack vector specifically relating to the admin accounts.
General Bytes has now issued an emergency patch, adding that several security audits had taken place since 2020, none of which identified this vulnerability. With Kraken identifying several flaws in October last year, General Bytes might want to have a word with its security auditor.