Wednesday, June 19, 2024

Zero-day Abused by Cybercriminals to Steal Crypto from Bitcoin ATMs

Malicious actors have taken advantage of a zero-day flaw in General Bytes Bitcoin ATM servers to steal cryptocurrency from clients.

The way it works is that once a person deposits or buys bitcoin through the ATM, the money will instead be diverted to the threat actors.

The hardware and software company General Bytes produces Bitcoin ATMs that, depending on the product, let users buy or trade approximately 50 different cryptocurrencies.

The Bitcoin ATMs are managed by a remote Crypto Application Server (CAS), which also oversees the functionality of the ATM, determines what cryptocurrencies are supported, and performs the transactions of bitcoin on exchanges.

How Did the Attack Happen?

A security advisory published by General Bytes last week disclosed that the cyberattacks were carried out by exploiting a zero-day weakness in the bitcoin and blockchain technology provider’s CAS.

The attacker was able to create an admin user remotely via CAS administrative interface via a URL call on the page that is used for the default installation on the server and creating the first administration user. This vulnerability has been present in CAS software since version 20201208.

General Bytes thinks that the attackers searched the internet for vulnerable servers using the TCP ports 7777 or 443, including those hosted at Digital Ocean and its own cloud service.

Following this, the cybercriminals abused the flaw to create a default admin user named “gb” to the CAS and changed the “buy” and “sell” cryptocurrency settings, and “invalid payment address” to use an attacker-controlled cryptocurrency wallet.

The threat actors changed these settings so that any cryptocurrency that was collected by CAS was instead sent to the hackers.

Two-way ATMs started to forward coins to the attacker’s wallet when customers sent coins to ATM.


Customers are being advised by the company not to use their Bitcoin ATMs until two server patch releases—20220531.38 and 20220725.22—have been applied to their servers.

Recommended:  Apple patches three actively exploited zero‑day flaws in iOS

Furthermore, General Bytes offered a checklist of procedures to be performed on the devices before they are returned to normal use.

Based on data from BinaryEdge, at the moment, there are eighteen General Bytes Crypto Application Servers still exposed to the Internet, most of them being based in Canada.

It is not known how many servers were compromised using this flaw or how much cryptocurrency was taken.


Suggest an edit to this article

Go to Cybersecurity Knowledge Base

Got to the Latest Cybersecurity News

Go to Cybersecurity Academy

Go to Homepage

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
ClosePlease login
Just your average information security researcher from Delaware US.
User Avatar
Latest posts by RiSec.Mitch (see all)
Recommended:  San Francisco 49ers confirm ransomware attack
Share the word, let's increase Cybersecurity Awareness as we know it
- Sponsored -

Sponsored Offer

Unleash the Power of the Cloud: Grab $200 Credit for 60 Days on DigitalOcean!

Digital ocean free 200

Discover more infosec

User Avatar
Just your average information security researcher from Delaware US.

more infosec reads

Subscribe for weekly updates