General Bytes, the leading manufacturer of cryptocurrency automated teller machines (ATMs) with over 9,505 units deployed globally, experienced a severe security incident on March 17 and 18, 2023. The attacker remotely compromised the company's master service interface, gaining access to hot wallets and siphoning funds from approximately 15 to 20 U.S.-based crypto ATM operators. According to on-chain data, the hacker stole 56.28 Bitcoin (BTC), valued at roughly $1.5 million, along with a wide array of other cryptocurrencies including ETH, USDT, BUSD, ADA, DAI, DOGE, SHIB, and TRX.
Attack Vector: From Video Upload to Full System Compromise
In a security bulletin released on March 18, General Bytes detailed how the attacker exploited the master service interface — normally used by terminals to upload videos — to deploy a malicious Java application. This allowed the hacker to escalate privileges to a BATM user, access the underlying database, and decrypt API keys used to manage funds in hot wallets and connected exchanges. The attacker could also download usernames, retrieve password hashes, disable two-factor authentication (2FA), and directly transfer funds from hot wallets. Remarkably, the company stated that multiple security audits conducted since 2021 had failed to identify this vulnerability.
Industry Fallout: Widespread Shutdown of U.S. Crypto ATMs
Bitcoin.com News spoke with a U.S.-based crypto ATM operator who confirmed that all operators using General Bytes machines were ordered to shut down nationwide for the evening. Servers will need to be completely rebuilt from the ground up — a time-consuming process. In response, General Bytes announced it is discontinuing its cloud service and transitioning operators to self-hosted servers. This urgent migration poses significant operational challenges for thousands of ATM locations across the country. The company urged all customers to take immediate action to protect funds and personal information.
On-Chain Evidence and Historical Context
On-chain analysis reveals that the 56.28 BTC stolen in the attack has remained unmoved in a single address since its last transaction at 3:20 a.m. on March 18. Other stolen tokens were dispersed to multiple addresses, with a fraction sent to the decentralized exchange Uniswap. This is not the first security breach for General Bytes: In August 2022, the company suffered a zero-day attack that allowed remote creation of an admin user via the CAS administrative interface. The March 2023 incident exploited a different, previously unknown vulnerability. General Bytes disclosed the attacker's three IP addresses and the cryptocurrency addresses used in the attack, aiding law enforcement and forensic analysis.
Lessons Learned and Next Steps
The incident underscores the critical importance of securing hot wallets and master interfaces in crypto ATM infrastructure. While General Bytes is assisting affected operators with server rebuilds, many in the industry are calling for stricter security standards and independent audits. One operator told Bitcoin.com News that their firm's full-node setup and additional lockdown measures prevented the attacker from accessing funds despite the system being compromised — highlighting that layered defenses can mitigate even severe cloud vulnerabilities. Moving forward, operators are advised to adopt self-hosted solutions, implement strict network segmentation, and regularly rotate API keys. General Bytes has pledged to continue updating its security bulletin and to support the recovery process.

