Hackers Target Bitcoin ATMs Through Zero-Day Attacks

By Phil Stafford August 24, 2022 In Bitcoin ATMs, Crypto News, Hackers

Adding to recent consumer consternation caused by illiquid crypto exchanges and lenders, hackers have exploited a zero-day vulnerability in General Bytes Bitcoin ATM servers to steal funds from customers.

General Bytes is the manufacturer of Bitcoin ATMs that, depending on the product, allow users to purchase or sell more than 40 different cryptocurrencies. However, in recent incidents that have seriously compromised their security, when customers have deposited or purchased cryptocurrency using these ATMs, the funds were instead siphoned off by hackers.

Remote Servers to Blame

The Bitcoin ATMs are controlled by a remote Crypto Application Server (CAS) that manages the ATM’s operation, which cryptocurrencies are supported, and executes the purchases and sales of cryptos on exchanges.

According to General Bytes’ security advice, the attacks were conducted using a zero-day vulnerability in its CAS:


The attacker was able to create an admin user remotely via the CAS administrative interface via a URL call on the page that is used for the default installation on the server and creating the first administration user. This vulnerability has been present in CAS software since version 20201208.

General Bytes security advice

General Bytes believes the hackers scanned the internet for exposed servers running on TCP ports 7777 or 443, including servers hosted at Digital Ocean and General Bytes’ own cloud service.

The hackers then exploited the bug to add a default admin user named ‘gb’ to the CAS, and modified the ‘buy’ and ‘sell’ crypto settings and ‘invalid payment address’ to recognise a crypto wallet under the hackers’ control.

Funds Diverted to Hackers’ Wallet

Once they had modified these settings, any cryptocurrencies received by CAS were forwarded to the hackers instead. “Two-way ATMs started to forward coins to the attackers’ wallet when customers sent coins to the ATM,” according to the security advice.

General Bytes, one of the largest manufacturers of cryptocurrency ATMs with almost 9,000 machines installed all over the world, is warning customers not to operate Bitcoin ATMs until they have applied two server patch releases, 20220531.38 and 20220725.22, on their servers. It has also provided a checklist of steps to perform on the devices before they are put back into service.

Most Exposed Servers Are in Canada

While it remains unclear how many servers were breached using this vulnerability and how much cryptocurrency was stolen, according to information provided by security firm BinaryEdge there are currently 18 General Bytes Crypto Application Servers still exposed to the internet, with the majority located in Canada.

Last year, El Salvador led the adoption of bitcoin in Central and South America by launching 1,000 Bitcoin ATMs across the country for buying and selling BTC. However, less than three months later a bitcoin ATM was burned and defaced with anti-BTC messages as protesters demonstrated resistance towards El Salvador’s pro-crypto President Nayib Bukele.

Phil Stafford

Phil Stafford

Phil is a long-standing Australian journalist with specialised experience in business, finance, travel and popular culture.

You may also like