Bitcoin Depot Hit by $3.6 Million Crypto Theft in Latest ATM Hack

Bitcoin Depot, which operates one of the largest Bitcoin ATM networks, says attackers stole $3.665 million worth of Bitcoin from its crypto wallets after breaching its systems last month. The company manages more than 25,000 Bitcoin ATMs and BDCheckout locations worldwide and reported revenue of $615 million in 2025.

As revealed in a filing with the U.S. Securities and Exchange Commission, the company discovered the attack on March 23 after detecting suspicious activity on some of its IT systems. While it took immediate measures to contain the breach, the attackers had time to steal credentials to digital asset settlement accounts and transfer over 50 Bitcoin from Bitcoin Depot's wallets before their access was blocked.

"On March 23, 2026, Bitcoin Depot Inc. (the "Company") discovered that an unauthorized party gained access to certain of its information technology systems. Upon detection, the Company promptly activated its incident response protocols, engaged external cybersecurity experts, and notified law enforcement," Bitcoin Depot said.

"As a result, the unauthorized actor transferred approximately 50.903 Bitcoin from Company-controlled wallets, valued at approximately $3.665 million as of the date of this report, without authorization. The Company further believes that the incident was contained to the Company's corporate environment and did not affect the Company's customer platforms, divisions, systems, data or environments."

The company has also notified law enforcement of the breach and has hired external cybersecurity experts to help investigate the incident. While it has insurance coverage for cyber-attacks, Bitcoin Depot says that this might not cover all losses directly resulting from the attack.

"On April 6, 2026, the Company nevertheless determined that the incident is material in light of potential consequences of the incident, including reputations harm, legal, regulatory and response costs," it added.

"The Company maintains insurance coverage that may cover certain losses associated with cybersecurity incidents, but there can be no assurance that such coverage will be sufficient to recover any or all losses incurred as a result of this incident."

Last year, Bitcoin Depot also notified nearly 26,000 people of a 2024 data breach, stemming from an attack in which threat actors breached its systems to steal the affected individuals' personal information (i.e., full names, addresses, dates of birth, driver's license numbers, email addresses, and phone numbers).

In December 2024, U.S. Bitcoin ATM operator Byte Federal disclosed a similar incident that resulted in a data breach affecting 58,000 customers.

The Growing Threat to Crypto ATM Networks

The Bitcoin Depot breach highlights the increasing vulnerability of cryptocurrency infrastructure to sophisticated cyber attacks. As the crypto ATM industry continues to expand, with Bitcoin Depot alone operating over 25,000 machines globally, these networks have become attractive targets for financially motivated threat actors.

Cryptocurrency ATMs operate differently from traditional ATMs. While conventional ATMs connect to banking networks to dispense cash from user accounts, crypto ATMs facilitate the purchase and sale of digital currencies. Users can insert cash to buy Bitcoin or other cryptocurrencies, or sell crypto to receive cash. This process requires the ATM operator to maintain hot wallets—cryptocurrency wallets connected to the internet for immediate transactions.

These hot wallets are particularly vulnerable because they must maintain sufficient liquidity to process transactions quickly. The compromise of wallet credentials, as appears to have happened in the Bitcoin Depot case, can lead to immediate and substantial losses.

How the Attack Likely Unfolded

While Bitcoin Depot hasn't disclosed specific technical details about the attack vector, the description suggests a multi-stage compromise:

1. Initial Access: The attackers gained access to Bitcoin Depot's corporate IT systems, likely through phishing, credential stuffing, or exploitation of unpatched vulnerabilities.

2. Lateral Movement: Once inside the network, the attackers likely moved laterally to locate systems containing wallet credentials or access to settlement accounts.

3. Credential Theft: The attackers obtained credentials for digital asset settlement accounts—the systems that manage the movement of cryptocurrency between wallets.

4. Fund Exfiltration: Using the stolen credentials, the attackers transferred approximately 50.903 Bitcoin (worth $3.665 million at the time) from Bitcoin Depot's wallets to wallets under their control.

5. Attempted Concealment: The attackers likely attempted to launder the stolen funds through cryptocurrency mixers or by converting them to other cryptocurrencies to obscure the trail.

Industry-Wide Security Challenges

The Bitcoin Depot incident is part of a broader pattern of attacks targeting cryptocurrency infrastructure. The decentralized and pseudonymous nature of cryptocurrency transactions makes them particularly attractive to cybercriminals, as stolen funds can be difficult to trace and recover.

Other recent incidents in the crypto ATM space include:

• Byte Federal: In December 2024, this U.S. Bitcoin ATM operator disclosed a data breach affecting 58,000 customers after attackers compromised their systems.

• General ATM Vulnerabilities: Cryptocurrency ATMs often run on custom software stacks that may not receive the same level of security scrutiny as traditional banking systems.

• Physical Security Concerns: In addition to cyber attacks, crypto ATMs face physical security risks, including theft of the machines themselves or tampering with hardware.

Implications for Users and the Industry

For Bitcoin Depot customers, the company has stated that customer platforms, data, and environments were not affected by this breach. However, the incident raises questions about the overall security of cryptocurrency ATM networks and the measures in place to protect user funds.

For the broader cryptocurrency industry, this attack underscores several critical security considerations:

1. Hot Wallet Security: Companies must implement robust security measures for hot wallets, including multi-signature requirements, hardware security modules, and real-time monitoring for suspicious activity.

2. Access Controls: Strict access controls and the principle of least privilege should be enforced to limit the potential impact of compromised credentials.

3. Incident Response: Rapid detection and response capabilities are essential, as demonstrated by Bitcoin Depot's ability to contain the breach once detected, though the attackers had already exfiltrated funds.

4. Insurance Limitations: The uncertainty around insurance coverage highlights the financial risks that cryptocurrency companies face and the need for comprehensive risk management strategies.

Looking Forward

The Bitcoin Depot breach serves as a wake-up call for the cryptocurrency ATM industry. As these services become more mainstream and handle larger volumes of transactions, the incentive for attackers will only increase.

Industry experts recommend several steps for crypto ATM operators to enhance security:

• Implement multi-factor authentication for all administrative access
• Use hardware security modules for key management
• Conduct regular penetration testing and security audits
• Employ real-time transaction monitoring and anomaly detection
• Maintain comprehensive incident response plans
• Consider using multi-signature wallets that require multiple approvals for large transactions

As the investigation into the Bitcoin Depot breach continues, the cryptocurrency community will be watching closely to understand how the attackers gained access and what lessons can be learned to prevent similar incidents in the future. The incident also highlights the ongoing tension between the convenience of cryptocurrency ATMs and the security challenges they present in an increasingly hostile threat landscape.