Hackers Steal $3.6 Million From Crypto‑ATM Giant Bitcoin Depot

Hackers Steal $3.6 Million From Crypto‑ATM Giant Bitcoin Depot

Bitcoin Depot, one of the world’s largest Bitcoin ATM operators, disclosed that attackers stole $3.665 million worth of Bitcoin—about 50.9 coins—from its crypto wallets after breaching its systems in March 2026. The breach was detected on March 23, prompting immediate incident response, external cyber‑security assistance, and law‑enforcement notification. While the company believes customer platforms were unaffected, it warned that insurance may not fully cover the losses and noted potential reputational, legal, and regulatory impacts. This follows previous data breaches affecting tens of thousands of users in 2024 and 2025.

TechLogHub

April 9, 2026

0 views

HACKERS STEAL $3.6 MILLION FROM CRYPTO ATM GIANT BITCOIN DEPOT

Overview

On March 23, 2026, Bitcoin Depot detected unauthorized access to certain information technology systems.
The breach enabled attackers to transfer digital assets from company wallets, resulting in an attempted loss of approximately 50.903 Bitcoin, valued at about $3.665 million at the time of the report.
Bitcoin Depot operates one of the world’s largest Bitcoin ATM networks, with more than 25,000 ATMs and BDCheckout locations, and it reported 2025 revenue around $615 million.
Management stated that the incident appeared contained to the corporate environment and did not impact customer platforms, divisions, systems, data, or environments.

What Happened and How It Was Detected

Attackers gained access to credentials tied to settlement accounts for digital assets.
Upon discovery, the company activated its incident response protocols, engaged external cybersecurity experts, and notified law enforcement.
The unauthorized actor managed to transfer roughly 50.903 BTC from company-controlled wallets before access was blocked.

Financial and Insurance Aspects

The total value of the stolen cryptocurrency was approximately $3.665 million as of the reporting date.
Bitcoin Depot carries cyber insurance, but management cautioned that coverage may not fully offset all losses.
The incident was deemed material due to potential consequences including reputational harm, regulatory scrutiny, and response costs.

Timeline of Related Events

2024: Bitcoin Depot notified nearly 26,000 individuals about a data breach exposing personal information such as names, addresses, dates of birth, driver’s license numbers, email addresses, and phone numbers.
December 2024: Byte Federal, another crypto ATM operator, disclosed a data breach affecting 58,000 customers.
March 23, 2026: Unauthorized access detected; immediate containment and investigation initiated.
April 6, 2026: Company characterized the incident as material, noting potential broader consequences beyond the immediate financial loss.

Company Response and Next Steps

The incident response plan was executed promptly after detection, with external cybersecurity experts brought in and law enforcement informed.
Affected stakeholders were notified where applicable, and ongoing investigation and assessment of losses were undertaken.
The company indicated continued evaluation of remediation measures and potential long-term impacts.

Context: Past Breaches in the Crypto ATM Sector

The 2024 breach at Bitcoin Depot involved exposure of personal data for thousands of individuals, underscoring ongoing risk to customer and employee information.
In the same general timeframe, Byte Federal disclosed a data breach affecting tens of thousands of customers, highlighting a pattern of security challenges in the crypto ATM space.

Security Testing and Validation Surfaces: Industry Note

A whitepaper discussed the limitations of automated pentesting, showing that automated tests cover only one of six validation surfaces.
The document argues that automated testing alone is insufficient and must be complemented by a comprehensive validation approach to determine whether security controls actually prevent breaches (a process BAS supports).
The whitepaper provides diagnostic questions to help practitioners evaluate tools and expose gaps where attack paths may remain untested.

Contextual Coverage: Related Security Incidents

High-profile security events in the tech and financial sectors, such as data-wipe incidents and breaches affecting government portals or fintech firms, illustrate the broader vulnerability landscape for organizations handling sensitive financial and personal data.
These incidents emphasize the importance of layered security, incident response readiness, and continuous validation across multiple surfaces.

Quick Reference: Key Figures and Entities

Bitcoin Depot: operator of an extensive ATM network with global reach and BDCheckout offerings.
2025 revenue: reported around $615 million.
Stolen amount: approximately 50.903 BTC, valued at about $3.665 million at the time of reporting.
Notable data breaches: 2024 breach affecting about 26,000 individuals; 2024 Byte Federal breach affecting about 58,000 customers.

Hackers Steal $3.6 Million From Crypto‑ATM Giant Bitcoin Depot

TechLogHub

April 9, 2026

0 views

HACKERS STEAL $3.6 MILLION FROM CRYPTO ATM GIANT BITCOIN DEPOT

Overview

On March 23, 2026, Bitcoin Depot detected unauthorized access to certain information technology systems.
The breach enabled attackers to transfer digital assets from company wallets, resulting in an attempted loss of approximately 50.903 Bitcoin, valued at about $3.665 million at the time of the report.
Bitcoin Depot operates one of the world’s largest Bitcoin ATM networks, with more than 25,000 ATMs and BDCheckout locations, and it reported 2025 revenue around $615 million.
Management stated that the incident appeared contained to the corporate environment and did not impact customer platforms, divisions, systems, data, or environments.

What Happened and How It Was Detected

Attackers gained access to credentials tied to settlement accounts for digital assets.
Upon discovery, the company activated its incident response protocols, engaged external cybersecurity experts, and notified law enforcement.
The unauthorized actor managed to transfer roughly 50.903 BTC from company-controlled wallets before access was blocked.

Financial and Insurance Aspects

The total value of the stolen cryptocurrency was approximately $3.665 million as of the reporting date.
Bitcoin Depot carries cyber insurance, but management cautioned that coverage may not fully offset all losses.
The incident was deemed material due to potential consequences including reputational harm, regulatory scrutiny, and response costs.

Timeline of Related Events

2024: Bitcoin Depot notified nearly 26,000 individuals about a data breach exposing personal information such as names, addresses, dates of birth, driver’s license numbers, email addresses, and phone numbers.
December 2024: Byte Federal, another crypto ATM operator, disclosed a data breach affecting 58,000 customers.
March 23, 2026: Unauthorized access detected; immediate containment and investigation initiated.
April 6, 2026: Company characterized the incident as material, noting potential broader consequences beyond the immediate financial loss.

Company Response and Next Steps

The incident response plan was executed promptly after detection, with external cybersecurity experts brought in and law enforcement informed.
Affected stakeholders were notified where applicable, and ongoing investigation and assessment of losses were undertaken.
The company indicated continued evaluation of remediation measures and potential long-term impacts.

Context: Past Breaches in the Crypto ATM Sector

The 2024 breach at Bitcoin Depot involved exposure of personal data for thousands of individuals, underscoring ongoing risk to customer and employee information.
In the same general timeframe, Byte Federal disclosed a data breach affecting tens of thousands of customers, highlighting a pattern of security challenges in the crypto ATM space.

Security Testing and Validation Surfaces: Industry Note

A whitepaper discussed the limitations of automated pentesting, showing that automated tests cover only one of six validation surfaces.
The document argues that automated testing alone is insufficient and must be complemented by a comprehensive validation approach to determine whether security controls actually prevent breaches (a process BAS supports).
The whitepaper provides diagnostic questions to help practitioners evaluate tools and expose gaps where attack paths may remain untested.

Contextual Coverage: Related Security Incidents

High-profile security events in the tech and financial sectors, such as data-wipe incidents and breaches affecting government portals or fintech firms, illustrate the broader vulnerability landscape for organizations handling sensitive financial and personal data.
These incidents emphasize the importance of layered security, incident response readiness, and continuous validation across multiple surfaces.

Quick Reference: Key Figures and Entities

Bitcoin Depot: operator of an extensive ATM network with global reach and BDCheckout offerings.
2025 revenue: reported around $615 million.
Stolen amount: approximately 50.903 BTC, valued at about $3.665 million at the time of reporting.
Notable data breaches: 2024 breach affecting about 26,000 individuals; 2024 Byte Federal breach affecting about 58,000 customers.

Hackers Steal $3.6 Million From Crypto‑ATM Giant Bitcoin Depot

Stay Updated

Hackers Steal $3.6 Million From Crypto‑ATM Giant Bitcoin Depot

Stay Updated