General Bytes' hot wallets compromised, at least $1.5 million stolen

Despite recent audits, the popular ATMs had an undetected vulnerability that allowed the hacker to empty hot wallets.

Broken Bitcoin machine
The hacker has uploaded a Java programme utilizing the master service interface of the Android-based ATM’s system.

Between March 17 and 18, General Bytes, one of the leading Bitcoin ATM manufacturers and its standalone servers, experienced a security breach.

General Bytes describes itself as "the world's largest Bitcoin, blockchain, and cryptocurrency ATM manufacturer" on the official website. Currently, the company, which has sold over 15,000 Android-powered ATMs in nearly 150 countries, is headquartered in the Czech Republic and the United States.

According to the post by Karel Kyovsky, owner of General Bytes, the incident had the highest severity level. It was carried out remotely by an attacker who uploaded a custom program written in Java through the master service interface. The attacker was able to transfer cryptocurrencies from hot wallets after connecting to the database and decrypting the API keys.

In addition, the hacker managed to download user data, including passwords, and disable two-factor authentication. The hacker also got access to the instances of customers scanning their private keys while using ATMs.

General Bytes has not yet disclosed the exact amount of stolen funds, but it has revealed the wallet addresses used in the attack. According to on-chain data, transactions made using the Bitcoin wallet had a total value of 56 BTC worth more than $1.54 million at the time of publication.

While the hacker exploited the vulnerability that affected the master service interface, Kyovsky emphasized that no vulnerabilities had been detected during the numerous security audits that had been conducted since 2021.

"The attacker scanned the Digital Ocean cloud hosting IP address space and identified running CAS services on ports 7741, including the General Bytes Cloud service and other GB ATM operators running their servers on Digital Ocean (our recommended cloud hosting provider). Using this security vulnerability, attacker uploaded his own application directly to application server used by admin interface. Application server was by default configured to start applications in its deployment folder," Kyovsky explained.

Read also: Number of Bitcoin ATMs has grown by 270% since 2021

Interestingly, the audits Kyovsky referred to were also not helpful in detecting an earlier zero-day attack on General Bytes' ATMs in August 2022, when the perpetrator obtained administrator privileges and modified the system to receive all funds going into the ATM.

General Bytes is asking security companies to conduct further independent audits, as the previous ones were unable to identify the issue that led to the security breach.

The incident made some Twitter tech-savvy users suspect that the attack was carried out by one of the General Bytes' employees or operators, as they believe that such an attack required considerable knowledge of the system’s insides. Some users even expressed their concerns about the possibility of manufacturers intentionally making “back doors” for such activities and selling the hack codes to those hackers.

Community members also demand General Bytes to reimburse affected curtomers, believing that the attack happened because of the company's negligence, while the advanced crypto users do not recommend ATMs because of their "outrageous fees."

Meanwhile, on March 17, Ethereum co-founder Vitalik Buterin shared with the Reddit community his preferred method for ensuring crypto security. According to Buterin, the most effective option for long-term storage is a multisig wallet that cannot confirm and process transactions without more than one signature.

"Multisig wallets (eg. Gnosis Safe) are an easy and safe way to store funds, and can give you most of the key benefits of self-custody – namely, your funds not being subject to disappearing because a centralized entity that seemed trustworthy turns out not to be at all – without the risks of having to be personally responsible for your entire security setup. I use a multisig wallet personally to store the bulk of my funds, as does the Ethereum Foundation," Buterin explained in his post, noting the importance of having a network of trusted devices or people.