Bitcoin ATM bug let thieves siphon off crypto withdrawals

A zero-day in an ATM allowed thieves to divert the tokens to their wallets

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

A security vulnerability in a series of bitcoin ATM machines allowed cybercriminals to steal valuable tokens from users, it has been revealed.

In an announcement, General Bytes, the maker of the ATMs in question, said that unknown threat actors discovered a zero-day vulnerability in the devices and used it to siphon cryptocurrencies from user accounts.

As the company explained, these ATMs are controlled by a remote Crypto Application Server (CAS), and whoever was behind the theft found a hole in the CAS.

“The attacker was able to create an admin user remotely via CAS administrative interface via a URL call on the page that is used for the default installation on the server and creating the first administration user,” General Bytes said. “This vulnerability has been present in CAS software since version 20201208.”

Diverting the coins

After that, whenever someone tried to deposit or withdraw cryptocurrency using the ATM, the funds would simply be diverted to a wallet belonging to the hackers.

“Two-way ATMs started to forward coins to the attacker’s wallet when customers sent coins to ATM,” the company further explained.

The company was tipped off by a user whose funds had been stolen. It is unclear how many people were affected by the flaw, or how much in cryptocurrencies the thieves managed to steal.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Australia gets its first Bitcoin ATM

Bitcoin cash machine pops up in Tech City, offering digital dough for banknotes

Since then, though, apatchhas been released. The company has updated the CAS to versions 20220531.38 and 20220725.22 and urged ATM service providers to pull the devices out until they apply the patch. Most of the unpatched devices, roughly two dozen of them, are located in Canada, it was said.

Furthermore, asBleepingComputerreported, the attack would not have been possible in the first place, had theserversbeenfirewalledto only allow trusted IP addresses to establish a connection.

ViaBleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

Red One isn’t perfect but it proves we need more action-packed Christmas movies