A hacker was able to upload their own Java application onto General Bytes’ bitcoin ATMs, which enabled the attacker to read and decrypt API keys to access funds on exchanges and hot wallets.
The company posted a high severity security incident warning on its Confluence page on March 18. The attacker was able to access the database, download user names and passwords as well as turn off two-factor authentication and scan terminal event logs for instances when customers scanned private keys in the ATM, the company said.
“We urge all our customers to take immediate action to protect their funds and personal information and carefully read the security bulletin listed here,” the company said on Twitter.
How did it happen?
The hacker was able to mount the attack by uploading their own Java application and running it remotely, using the master service interface, which is used in bitcoin ATMs to upload videos to the server, the company said.
Both General Bytes’ cloud service and standalone servers were compromised and as a result the company is closing down its cloud service.
“It is theoretically (and practically) impossible to secure a system granting access to multiple operators at the same time where some of them are bad actors,” said the company in the post, adding that it would provide support to customers to transition from the cloud service to running their own standalone servers.
The company published steps to implement the security fix. It also said that in multiple audits that had been completed since 2021 it had not identified this vulnerability.
$1.5 million of bitcoin stolen
The security post also listed the crypto addresses and APIs used by the attacker. On-chain analysis shows a balance of 56 bitcoin ($1.5 million) in the bitcoin wallet linked to the attacker.
This isn’t the first time General Bytes has experienced an attack. In August of last year, a hacker was able to steal funds from customers making deposits at its bitcoin ATMs. In that case, the hacker modified the crypto settings of two-way machines with their wallet settings and the invalid payment address setting.
General Bytes website states that it has sold more than 15,000 machines in over 140 countries.
The company didn’t immediately respond to request for comment.
This article has been originally published at: https://www.theblock.co/post/221032/bitcoin-atm-maker-general-bytes-shuts-down-its-cloud-service-after-hacker-identifies-vulnerability-enabling-them-to-decrypt-api-keys