Blockchain & Cryptocurrency , Cryptocurrency Fraud , Fraud Management & Cybercrime

Hacker Exploits Months-Old Bug to Steal Crypto From ATMs

Now-Patched Bug Allowed Thief to Remotely Steal User Passwords, Private Keys
Hacker Exploits Months-Old Bug to Steal Crypto From ATMs
Image: Shutterstock

A Bitcoin ATM manufacturer suspended cloud services supporting more than 15,000 machines after a hacker exploited a vulnerability in its software and made off with cryptocurrency worth millions of dollars.

See Also: OnDemand | NSM-8 Deadline July 2022:Keys for Quantum-Resistant Algorithms Implementation

A hacker on Friday and Saturday exploited the now-patched bug in Prague-based General Bytes' master service interface to access passwords, private keys of ATM users and their hot wallets - digital wallets connected to the internet.

The hacker exploited the vulnerability on the master service interface, which the company uses to upload security videos from the ATMs to its servers, to remotely run a Java application on its terminals. With unauthorized access to the company's database, the hacker could read and decrypt API keys to get their hands on funds in hot wallets and exchanges, send the funds to a wallet of their choice from the compromised hot wallets, download user names and password hashes and turn off two-factor authentication, and access terminal event logs to find instances in which customers scanned their private keys at the ATM.

General Bytes did not specify the amount the hacker stole, but on-chain data suggests the number is likely to be around $1.54 million.

The vulnerability, which "multiple" security auditors have missed since 2021, affects General Bytes' cloud service along with the operator's stand-alone servers.

General Bytes released two patches for its Crypto Application Server. It advised the operators of its ATMs to review the server's users and the permissions they're allowed, delete unauthorized ones and reset passwords for the rest. The operators must ensure that the attacker has not changed the default receiver crypto wallet to their own wallet, the company said.

About the Author

Rashmi Ramesh

Rashmi Ramesh

Assistant Editor, Global News Desk, ISMG

Ramesh has seven years of experience writing and editing stories on finance, enterprise and consumer technology, and diversity and inclusion. She has previously worked at formerly News Corp-owned TechCircle, business daily The Economic Times and The New Indian Express.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.