Zero-day bug exploited to steal cryptocurrency from Bitcoin ATM maker

A Bitcoin ATM is seen June 13, 2022, in the Brooklyn Heights neighborhood of New York City. (Photo by Michael M. Santiago/Getty Images)

Hackers were able to steal cryptocurrency from customers via a zero-day bug in Bitcoin ATMs that allowed them to create admin user profiles.

Bleeping Computer reported that Bitcoin ATM manufacturer General Bytes is warning operators to not operate servers until they’ve patched their systems.

“The attacker was able to create an admin user remotely via CAS [Crypto Application Server] administrative interface via a URL call on the page that is used for the default installation on the server and creating the first administration user,” read the Aug. 18 General Bytes security update on its wiki.

The attacker was able to have payments forwarded to their own crypto wallets on a number of two-way machines when customers sent invalid payments to BATMs, General Bytes said in the update. The security update also noted that all affected operators were notified. 

The update further notes that the vulnerability has been present since 2020, but the attack began three days after General Bytes posted support for Ukraine on its terminals. 

“We’ve concluded multiple security audits since 2020, and none of them identified this vulnerability. The attack started on the 3rd day after we publicly announced the ‘Help Ukraine’ feature on our BATMs,” they wrote.