General Bytes, the world's largest manufacturer of cryptocurrency ATMs, disclosed a critical security incident on March 17–18, 2023, in which a remote attacker exploited the master service interface to siphon funds from hot wallets. The company confirmed that 56.28 bitcoins (worth approximately $1.5 million at the time) were stolen, along with dozens of other cryptocurrencies including ETH, USDT, BUSD, ADA, DAI, DOGE, SHIB, and TRX. The breach forced the majority of U.S.-based crypto ATM operators running General Bytes machines to temporarily halt operations nationwide.
Attack Details
According to the official security bulletin, the attacker uploaded a custom Java application using the master service interface—a feature normally used by terminals to upload videos. This granted the hacker full BATM user privileges, allowing access to the database, decryption of API keys used to access hot wallets and exchanges, downloading of usernames and password hashes, and disabling of two-factor authentication (2FA). The attacker then initiated withdrawals from hot wallets belonging to approximately 15 to 20 ATM operators across the country. On-chain data shows that the primary Bitcoin address holding the 56.28 BTC has remained dormant since the last transaction at 3:20 a.m. on March 18, while some funds were moved to other addresses and a portion was sent to Uniswap, a decentralized exchange.
Impact and Response
A U.S.-based crypto ATM operator who spoke with Bitcoin.com News confirmed that all operators using General Bytes machines were forced to shut down servers for the evening. The operator noted that servers would need to be rebuilt from scratch — a lengthy process. General Bytes announced it is discontinuing its cloud service (CAS) and transitioning ATM operators to self-hosted servers. The company stated that multiple security audits had been conducted since 2021, but none identified the vulnerability exploited in this attack. Interestingly, one operator reported that its full node setup, which was “locked down enough,” prevented the attacker from accessing funds despite the system being compromised.
Historical Incidents
This is not the first security issue for General Bytes. In August 2022, the company was hit by a zero-day attack that allowed remote creation of an admin user via the CAS administrative interface. That vulnerability was patched promptly. In the current incident, General Bytes has released the attacker's Bitcoin address (still holding 56.28 BTC) and three IP addresses used during the breach. The company urged all customers to read the security bulletin and take immediate action to protect their funds and personal information.
The hack highlights persistent vulnerabilities in the crypto ATM industry. With over 9,505 machines deployed globally — the majority in the U.S. — General Bytes is a backbone of the physical crypto infrastructure. The incident not only disrupted operators but also sparked discussions about hot wallet security, the risks of cloud-based management, and the need for more rigorous third-party audits. As the investigation continues, operators are advised to move to self-hosted servers and implement additional layers of protection for their master service interfaces.

