Hackers drain bitcoin ATMs of $1.5 million by exploiting 0-day bug

By | March 21, 2023
A BATM sold by General Bytes.
Enlarge / A BATM sold by General Bytes.
General Bytes

Hackers drained millions of dollars in digital coins from cryptocurrency ATMs by exploiting a zero-day vulnerability, leaving customers on the hook for losses that can’t be reversed, the kiosk manufacturer has revealed.

The heist targeted ATMs sold by General Bytes, a company with multiple locations throughout the world. These BATMs, short for bitcoin ATMs, can be set up in convenience stores and other businesses to allow people to exchange bitcoin for other currencies and vice versa. Customers connect the BATMs to a crypto application server (CAS) that they can manage or, until now, that General Bytes could manage for them. For reasons that aren’t entirely clear, the BATMs offer an option that allows customers to upload videos from the terminal to the CAS using a mechanism known as the master server interface.

Going, going, gone

Over the weekend, General Bytes revealed that more than $1.5 million worth of bitcoin had been drained from CASes operated by the company and by customers. To pull off the heist, an unknown threat actor exploited a previously unknown vulnerability that allowed it to use this interface to upload and execute a malicious Java application. The actor then drained various hot wallets of about 56 BTC, worth roughly $1.5 million. General Bytes patched the vulnerability 15 hours after learning of it, but due to the way cryptocurrencies work, the losses were unrecoverable.

General Bytes officials wrote:

The night of 17-18 March was the most challenging time for us and some of our clients. The entire team has been working around the clock to collect all data regarding the security breach and is continuously working to resolve all cases to help clients back online and continue to operate their ATMs as soon as possible. We apologize for what happened and will review all our security procedures and are currently doing everything we can to keep our affected customers afloat.

The post said the flow of the attack was:

1. The attacker identified a security vulnerability in the master service interface the BATMs use to upload videos to the CAS.

2. The attacker scanned the IP address space managed by cloud host DigitalOcean Ocean to identify running CAS services on ports 7741, including the General Bytes Cloud service and other BATM operators running their servers on Digital Ocean.

3. Exploiting the vulnerability, the attacker uploaded the Java application directly to the application server used by the admin interface. The application server was, by default, configured to start applications in its deployment folder.

Once the malicious application executed on a server, the threat actor was able to (1) access the database, (2) read and decrypt encoded API keys needed to access funds in hot wallets and exchanges, (3) transfer funds from hot wallets to a wallet controlled by the threat actor, (4) download user names and password hashes and turn off 2FA, and (5) access terminal event logs and scan for instances where customers scanned private keys at the ATM. The sensitive data in step 5 had been logged by older versions of ATM software.

BATM customers on their own now

Going forward, this weekend’s post said, General Bytes will no longer manage CASes on behalf of customers. That means terminal holders will have to manage the servers themselves. The company is also in the process of collecting data from customers to validate all losses related to the hack, performing an internal investigation, and cooperating with authorities in an attempt to identify the threat actor.

General Bytes said the company has received “multiple security audits since 2021,” and that none of them detected the vulnerability exploited. The company is now in the process of seeking further help in securing its BATMs.

The incident underscores the risk of storing cryptocurrencies in Internet-accessible wallets, commonly called hot wallets. Over the years, hot wallets have been illegally drained of untold amounts of digital coin by attackers who exploit various vulnerabilities in cryptocurrency infrastructures or by tricking wallet holders into providing the encryption keys required to make withdrawals.

Security practitioners have long advised people to store funds in cold wallets, meaning they’re not directly accessible to the Internet. Unfortunately, BATMs and other types of cryptocurrency ATMs generally can’t follow this best practice because the terminals must be connected to hot wallets so that they can make transactions in real time. That means BATMs are likely to remain a prime target for hackers.