General Bytes Hack Forces Crypto ATM Shutdowns as Over $1.5 Million in Bitcoin Is Stolen

General Bytes Hack Forces Crypto ATM Shutdowns as Over $1.5 Million in Bitcoin Is Stolen

N
News Editor 01
2026-07-08 14:12:15
General Bytes disclosed a major security breach that let attackers access hot wallets and operator systems, leading to the theft of 56.28 BTC and other crypto assets and temporary shutdowns across U.S. crypto ATM operators.
General Bytescrypto ATMbitcoin theftcybersecurityhot wallet

General Bytes, one of the world’s largest manufacturers of cryptocurrency ATMs, disclosed a serious security incident that took place on March 17 and 18. According to the company’s bulletin and reports from industry sources, the attacker was able to remotely access the firm’s master service interface, gain elevated privileges, and move funds from hot wallets linked to crypto ATM operators. The breach triggered widespread disruption, with a majority of U.S.-based operators using General Bytes machines reportedly shutting down services temporarily as a precaution.

The scale of the incident has drawn significant attention because General Bytes has deployed 9,505 crypto ATMs globally, with thousands of those machines installed in the United States. As a result, the vulnerability was not limited to a single operator or isolated deployment. Instead, it exposed a broader infrastructure risk tied to how crypto ATM networks are managed, how servers are connected, and how hot wallets are secured.

How the Attack Worked

In its security bulletin, General Bytes said the attacker exploited the master service interface, a component normally used by terminals to upload videos. By abusing this interface, the hacker was able to remotely upload a custom Java application. That foothold gave the attacker BATM user privileges and opened the door to deeper system access.

From there, the attacker reportedly accessed the database, read and decrypted API keys used to control funds in hot wallets and exchange accounts, and obtained other sensitive operational data. The company also said the hacker could download usernames, access password hashes, disable two-factor authentication (2FA), and directly send funds from hot wallets. In practical terms, this was not simply a front-end exploit or a minor software bug; it was a compromise that affected core administrative and financial controls.

The details suggest the attacker targeted the operational backbone of crypto ATM providers rather than individual users alone. Once privileged access was obtained, the compromise could affect wallet management, administrator credentials, and linked exchange infrastructure all at once.

More Than 56 BTC and Multiple Tokens Drained

Onchain data cited in the report shows that the attacker siphoned off 56.28 BTC, worth roughly $1.5 million at the time. In addition to bitcoin, the hacker liquidated or transferred dozens of other digital assets, including ETH, USDT, BUSD, ADA, DAI, DOGE, SHIB, and TRX. Some of those funds were moved to other destinations, while a portion was reportedly sent through the decentralized exchange platform Uniswap.

The bitcoin address holding the stolen 56.28 BTC had not moved the funds after its last transaction at 3:20 a.m. on March 18, according to the report. Even so, the broader asset trail appeared more fragmented, with some of the stolen cryptocurrencies dispersed across different locations. That pattern is common in crypto thefts, where attackers may split funds, bridge them, or swap them through onchain venues in an effort to complicate tracing.

The losses appear to have been spread across approximately 15 to 20 crypto ATM operators in the United States. While the absolute dollar amount is relatively modest compared with some of the largest exchange hacks in crypto history, the incident is notable because it hit a real-world financial access channel that bridges cash and digital assets.

U.S. Operators Temporarily Shut Down Services

A U.S.-based crypto ATM operator told media that all American operators using General Bytes machines were effectively shut down nationwide for the evening following the incident. The operator also said servers would need to be rebuilt from the ground up, a process that can take considerable time depending on infrastructure complexity and internal security procedures.

That response highlights the operational severity of the breach. When a compromise affects wallet controls, API keys, and administrative privileges, simply patching a single server may not be enough. Operators may need to rotate credentials, revoke exchange integrations, rebuild systems, reissue access policies, and verify that no persistence mechanisms remain in the environment. For businesses handling customer transactions and cash-linked crypto flows, temporary downtime may be the only viable option while forensic work is underway.

One source cited in the report added that although the firm’s system had been hacked, it ran a full node that was sufficiently locked down to prevent the attacker from accessing certain funds. That suggests exposure levels may have differed between operators depending on their own internal setup, wallet segregation practices, and node architecture.

General Bytes Moves Toward Self-Hosted Servers

In the aftermath of the attack, General Bytes said it was transitioning operators toward self-hosted servers. The company also indicated that it would discontinue its cloud service. This is one of the most consequential parts of the disclosure because it points to a strategic shift in how the company wants its customers to deploy and control their infrastructure going forward.

Self-hosting can reduce certain centralized points of failure, but it also transfers more responsibility to operators. Running secure infrastructure requires expertise in server hardening, access management, network segmentation, patching, logging, key custody, and incident response. For some operators, especially smaller ones, that may improve control while also increasing the burden of security operations.

General Bytes further said it had undergone multiple security audits since 2021, yet none of those reviews identified the vulnerability exploited in this breach. That statement is likely to intensify scrutiny around the depth and scope of those audits, especially given the high-stakes nature of systems that connect ATMs, wallets, customer interfaces, and exchange rails.

Not the Company’s First Security Incident

This was not General Bytes’ first major security problem. The company previously disclosed a flaw on August 18, 2022, when an attacker used a zero-day exploit to remotely create an admin user via the CAS administrative interface. According to the company’s description of that earlier incident, the exploit leveraged a URL call to the page used for default server installation, allowing the attacker to create the first administration user.

The fact that both the 2022 and 2023 incidents involved critical administrative pathways raises concerns about systemic weaknesses in privileged access surfaces. For operators and security professionals, recurring problems in management interfaces are especially troubling because such interfaces often control the most sensitive actions in a system: user creation, software deployment, wallet connectivity, and transaction execution.

Why This Matters for the Crypto ATM Industry

Crypto ATMs occupy a unique position in the digital asset economy. They are one of the most visible and accessible points of entry for retail users, often serving customers who want to buy or sell crypto with cash. But that convenience depends on back-end systems that connect physical machines to remote administration layers, hot wallets, compliance tooling, and liquidity sources. When one of those core layers is compromised, the disruption can quickly spread across multiple operators and regions.

The General Bytes breach underscores several persistent risks in the sector: centralized management interfaces, dependence on hot wallets, exposure of API keys, and the complexity of cloud-based operations. It also illustrates a broader lesson for digital asset infrastructure providers: audits alone do not guarantee safety, especially when deployment models evolve and attackers probe obscure or under-monitored service pathways.

For now, the focus remains on containment and recovery. Affected operators must rebuild servers, rotate secrets, review wallet exposure, and assess whether any customer or administrator data was compromised. General Bytes has disclosed attack-linked addresses and three IP addresses associated with the intruder, which may help investigators and affected firms coordinate their response.

In the near term, the company’s remediation measures, the migration to self-hosted environments, and the operational decisions of ATM operators will be closely watched. Beyond the immediate losses, the breach may leave a lasting mark on how the crypto ATM industry approaches infrastructure security, especially where hot wallets and privileged remote administration are involved.

This article was originally published by Bit.Fan. For more cryptocurrency news and market insights, visit www.bit.fan.
300

Disclaimer:

The market information, project data, and third-party content displayed on this platform are for industry information sharing only and do not constitute any form of investment advice or return commitment.

Cryptocurrency trading carries high risks. Users should fully assess their risk tolerance and make independent decisions. All profits, losses, and legal responsibilities are borne by the users themselves.