Bitcoin ATM users have reported having more $16,000 stolen by hackers who used a zero-day vulnerability in General Bytes’ Bitcoin ATM servers.
Users reported last weekend that crypto was being drained from their wallets when they attempted to deposit or withdraw funds. The crypto was then siphoned into the hackers’ wallets.
ATM manufacturer General Bytes flagged the vulnerability on Thursday, saying that it’s “concluded multiple security audits since 2020, and none of them identified this vulnerability.”
The company told Protos that it knows of 13 users who were hacked and six that lost money.
The company also speculated that the attack, which originated in Georgia, may have been carried out by a Russian IT specialist in retaliation for General Bytes adding a button to its website that allows users to donate to Ukraine’s anti-Russia defense efforts. The donation button was added to the ATM screens just a few days before the attack.
The company said via email that it’s not obliged to repay any of the stolen funds but due to the relatively small amount stolen and the fact that it might still “mean a lot for small individual ATM operators targeted,” it’s considering reimbursing all affected customers.
“We want to express that we are deeply sorry for the security issue we have caused, and none of our security protocols caught it,” General Bytes told Protos.
“We are also sorry we didn’t push operators harder to hide their ATM sever CAS instance from authorized public access behind VPN. We expect to release more information on how to secure their servers behind VPNs and more this week,” (our emphasis).
Bitcoin ATM hacker abused admin privileges
A “zero day” hack is the term used when a hacker manages to exploit a vulnerability before developers are able to fix the problem.
In this particular case, hackers took advantage of a vulnerability that allowed them to create a new admin user, organization, and terminal within the firm’s software.
After renaming the new admin user to ‘gb,’ the attacker then altered the crypto settings to include their wallet address while also changing the ‘invalid payment address’ settings. From here the machine began to send any deposited/withdrawn crypto to the newly listed wallet address.
Bleeping Computer reported that the Bitcoin ATM hacks wouldn’t have happened if appropriate firewalls were in place that allowed users accessing its server software to only connect via trusted IP addresses such as the location of an ATM or a customer’s workplace.
General Bytes has advised any owners of its Bitcoin ATMs to update their terminals and follow 11 steps listed on their site.