Malicious actors have taken advantage of a zero-day flaw in General Bytes Bitcoin ATM servers to steal cryptocurrency from clients.

The way it works is that once a person deposits or buys bitcoin through the ATM, the money will instead be diverted to the threat actors.

The hardware and software company General Bytes produces Bitcoin ATMs that, depending on the product, let users buy or trade approximately 50 different cryptocurrencies.

The Bitcoin ATMs are managed by a remote Crypto Application Server (CAS), which also oversees the functionality of the ATM, determines what cryptocurrencies are supported, and performs the transactions of bitcoin on exchanges.

How Did the Attack Happen?

A security advisory published by General Bytes last week disclosed that the cyberattacks were carried out by exploiting a zero-day weakness in the bitcoin and blockchain technology provider’s CAS.

The attacker was able to create an admin user remotely via CAS administrative interface via a URL call on the page that is used for the default installation on the server and creating the first administration user. This vulnerability has been present in CAS software since version 20201208.


General Bytes thinks that the attackers searched the internet for vulnerable servers using the TCP ports 7777 or 443, including those hosted at Digital Ocean and its own cloud service.

Following this, the cybercriminals abused the flaw to create a default admin user named “gb” to the CAS and changed the “buy” and “sell” cryptocurrency settings, and “invalid payment address” to use an attacker-controlled cryptocurrency wallet.

The threat actors changed these settings so that any cryptocurrency that was collected by CAS was instead sent to the hackers.

Two-way ATMs started to forward coins to the attacker’s wallet when customers sent coins to ATM.


Customers are being advised by the company not to use their Bitcoin ATMs until two server patch releases—20220531.38 and 20220725.22—have been applied to their servers.

Furthermore, General Bytes offered a checklist of procedures to be performed on the devices before they are returned to normal use.

Based on data from BinaryEdge, at the moment, there are eighteen General Bytes Crypto Application Servers still exposed to the Internet, most of them being based in Canada.

It is not known how many servers were compromised using this flaw or how much cryptocurrency was taken.

If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

Watch out! Attackers Can Guess Your Credit Card PIN Even If You Are Covering the ATM Pad

Defining Zero Day Vulnerability

Cryptocurrency Security: How to Safely Invest in Digital Currency

10+ Cryptocurrency Fraud and Scams You Need to Pay Attention to

Leave a Reply

Your email address will not be published. Required fields are marked *