security breach

Bitcoin ATM maker shuts cloud service after user hot wallets compromised

Bitcoin ATM manufacturer General Bytes said a hacker was able to install and run a Java application in its terminals that could access user information and send funds from hot wallets.

Bitcoin ATM manufacturer General Bytes has shuttered its cloud services after discovering a “security vulnerability” that allowed an attacker to access users’ hot wallets and gain sensitive information, such as passwords and private keys.

The company is based in Prague and according to its website has sold over 15,000 Bitcoin (BTC) ATMs to purchasers in over 149 countries all over the world.

In a March 18 patch release bulletin, the ATM manufacturer issued a warning explaining that a hacker has been able to remotely upload and run a Java application via the master service interface into its terminals aimed at stealing user information and sending funds from hot wallets.

General Byes founder Karel Kyovsky in the bulletin explained this allowed the hacker to achieve the following:

  • “Ability to access the database.
  • Ability to read and decrypt API keys used to access funds in hot wallets and exchanges.
  • Send funds from hot wallets.
  • Download user names, their password hashes and turn off 2FA.
  • Ability to access terminal event logs and scan for any instance where customers scanned private key at the ATM. Older versions of ATM software were logging this information.”

The notice reveals that both General Bytes’ cloud service was breached as well as other operators’ standalone servers. 

“We’ve concluded multiple security audits since 2021, and none of them identified this vulnerability,” Kyovsky said.

Hot wallets compromised

Though the company noted that the hacker was able to “Send funds from hot wallets,” it did not disclose how much was stolen as a result of the breach.

However, General Bytes released the details of 41 wallet addresses that were used in the attack. On-chain data shows multiple transactions into one of the wallets, resulting in a total balance of 56 BTC, worth over $1.54 million at current prices.

General Bytes released the details of 41 wallet addresses used in the attack. Source: General Bytes

Another wallet shows multiple Ether (ETH) transactions, with the total received amounting to 21.82 ETH, worth roughly $36,000 at current prices.

Cointelegraph reached out to General Bytes for confirmation but did not receive a reply before publication.

Related: Bitcoin ATM decline: Over 400 machines went off the grid in under 60 days

The company has urgently advised BTC ATM operators to install their own standalone server and released two patches for their Crypto Application Server (CAS), which manages the ATM’s operation.

General Bytes is a Bitcoin ATM manufacturer based in Prague that has sold over 15,000 ATMs worldwide. Source: General Bytes

“Please keep your CAS behind a firewall and VPN. Terminals should also connect to CAS via VPN,” Kyovsky wrote.

“Additionally consider all your user’s passwords, and API keys to exchanges and hot wallets to be compromised. Please invalidate them and generate new keys & password.”

General Bytes previously had its servers compromised via a zero-day attack last September that enabled hackers to make themselves the default administrators and modify settings so that all funds would be transferred.

Algodex reveals wallet infiltrated by ‘malicious’ actor as MyAlgo renews warning: Withdraw now

Crypto exchange Algodex and wallet provider MyAlgo have suffered security breaches in the last few weeks.

Algorand-based wallet provider MyAlgo has again urged users to withdraw their funds after a February security breach which doesn’t appear to have been resolved.

Meanwhile, decentralized exchange Algodex has revealed a malicious actor infiltrated a company wallet on March 5 in what “appears to be similar to what is currently happening in the Algorand ecosystem,” it said in a tweet.

In a March 6 post, Algodex explained that a malicious actor infiltrated a company wallet during the early hours of the previous morning.

Algodex took precautions before the attack, including moving the bulk of its USD Coin (USDC) and native Algodex (ALGX) tokens to secure locations.

However, the infiltrated wallet was tied to Algodex’s liquidity rewards program and was responsible for providing extra liquidity to the ALGX token.

“This resulted in the malicious actor being able to remove the Algo and ALGX in the Tinyman pool created by us to provide additional liquidity to the ALGX token,” Algodex said.

The exchange noted that $25,000 in ALGX tokens allocated to provide liquidity rewards were taken but said it would replace this in full.

It added that the total loss from the theft was less than $55,000, but Algodex users and the liquidity of ALGX were not affected.

Meanwhile, the wallet provider for the Algorand network, MyAlgo, has renewed warnings for users to withdraw their assets or rekey their funds to new accounts as soon as possible.

Multiple warnings have been issued after a Feb. 19–21 security breach at MyAlgo, which resulted in losses of around $9.2 million.

On Feb. 27, the MyAlgo team tweeted a warning of a targeted attack carried out “against a group of high-profile MyAlgo accounts” conducted over the past week.

Related: 7 DeFi protocol hacks in Feb see $21 million in funds stolen: DefiLlama

The wallet provider further stated the cause for the wallet hack was unknown and encouraged “everyone to take precautionary measures to protect their assets” by transferring funds or rekeying accounts.

John Wood, chief technology officer at the networks governance body, the Algorand Foundation, went on Twitter the same day, saying around 25 accounts were affected by the exploit.

“This is not the result of an underlying issue with the Algorand protocol or SDK,” he said.