Bitcoin ATM manufacturer General Bytes has shuttered its cloud services after discovering a “security vulnerability” that allowed an attacker to access users’ hot wallets and gain sensitive information, such as passwords and private keys.
In a March 18 patch release bulletin, the ATM manufacturer issued a warning explaining that a hacker has been able to remotely upload and run a Java application via the master service interface into its terminals aimed at stealing user information and sending funds from hot wallets.
On March 17-18th, 2023, GENERAL BYTES experienced a security incident.
We released a statement urging customers to take immediate action to protect their personal information.
— GENERAL BYTES (@generalbytes) March 18, 2023
General Byes founder Karel Kyovsky in the bulletin explained this allowed the hacker to achieve the following:
- “Ability to access the database.
- Ability to read and decrypt API keys used to access funds in hot wallets and exchanges.
- Send funds from hot wallets.
- Download user names, their password hashes and turn off 2FA.
- Ability to access terminal event logs and scan for any instance where customers scanned private key at the ATM. Older versions of ATM software were logging this information.”
The notice reveals that both General Bytes’ cloud service was breached as well as other operators’ standalone severs.
“We’ve concluded multiple security audits since 2021, and none of them identified this vulnerability,” Kyovsky said.
Hot wallets compromised
Though the company noted that the hacker was able to “Send funds from hot wallets,” it did not disclose how much was stolen as a result of the breach.
However, General Bytes released the details of 41 wallet addresses that were used in the attack. On-chain data shows multiple transactions into one of the wallets, resulting in a total balance of 56 BTC, worth over $1.54 million at current prices.
Another wallet shows multiple Ether (ETH) transactions, with the total received amounting to 21.82 ETH, worth roughly $36,000 at current prices.
Cointelegraph reached out to General Bytes for confirmation but did not receive a reply before publication.
“Please keep your CAS behind a firewall and VPN. Terminals should also connect to CAS via VPN,” Kyovsky wrote.
“Additionally consider all your user’s passwords, and API keys to exchanges and hot wallets to be compromised. Please invalidate them and generate new keys & password.”
General Bytes previously had its servers compromised via a zero-day attack in September last year that enabled hackers to make themselves the default administrators and modify settings so that all funds would be transferred.