Thursday, May 15, 2025
HomeCyber Security NewsHackers Exploited a Zero-day Flaw in Bitcoin ATM Servers to Steal Cryptocurrency

Hackers Exploited a Zero-day Flaw in Bitcoin ATM Servers to Steal Cryptocurrency

Published on

SIEM as a Service

Follow Us on Google News

General Bytes Bitcoin ATM servers have been exploited by hackers in order to steal cryptocurrency from their customers as a result of a zero-day vulnerability.

Whenever cryptocurrency was deposited or purchased via the ATM, hackers would take advantage of the situation in order to siphon off the funds.

General Bytes manufactures Bitcoin ATMs that are capable of purchasing and selling over 40 different cryptocurrencies, depending on the model.

- Advertisement - Google News

There is a CAS that controls the Bitcoin ATMs remotely, enabling the following functions:-

  • Ensures that the ATM is operating as it should
  • What cryptocurrencies are supported
  • Performs transactions on exchanges for the purchase and sale of cryptocurrencies

Zero-day Vulnerability in Bitcoin ATM servers

The CAS software was vulnerable to this zero-day vulnerability since it was released in version 20201208. On August 18th, General Bytes published a security advisory that outlined the following:-

“As part of the attacks, the company’s CAS was exposed to a zero-day vulnerability, which was exploited by the attacker.”

A URL call on the page granted the attacker access to the CAS administrative interface, where the hacker was able to create an admin user remotely. A default installation is performed on this page, along with the creation of the first administrator account on the server.

A scan for any exposures of servers running on any of the following TCP ports was conducted by the threat actors on the internet:- 

  • 7777 
  • 443

The servers at Digital Ocean as well as the servers hosted at General Bytes’ own cloud services are also included in this list.

A default admin user named ‘gb’ was then added to the CAS as a result of exploiting this bug by the threat actors. Then the hacker modified the following things:-

  • ‘buy’ crypto settings
  • ‘sell’ crypto settings
  • ‘invalid payment address’ used with a wallet that is under the control of the hacker

There are two recent server patch releases from General Bytes which need to be applied to customers’ servers before they can begin using their Bitcoin ATMs:-

  • 20220531.38 
  • 20220725.22

Until then, security analysts have strongly urged users to not operate Bitcoin ATMs.

Recommendations

Here below, we have mentioned all the recommendations:-

  • The admin and master services should be stopped.
  • The server needs to be upgraded to 20220725.22.
  • The firewall settings on your server need to be modified.
  • Admin service should be started.
  • Make sure that only two-way machines are deactivated.
  • Ensure that all of your CAS users are reviewed.
  • It is necessary to reset all passwords for all users.
  • You should review your crypto settings in order to make sure they are correct.
  • Make sure that no terminals have been added by the attacker. There is a possibility that you might find BT123456 if your system has been breached.
  • Make sure that the terminals are activated.
  • You may find more information on an attacker’s activity in the admin.log file if you are concerned your system was breached.

Also Read: The Rise of Remote Workers: A Checklist for Securing Your Network – Free E-Book Download

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Threat Actors Leverage Weaponized HTML Files to Deliver Horabot Malware

A recent discovery by FortiGuard Labs has unveiled a cunning phishing campaign orchestrated by...

TA406 Hackers Target Government Entities to Steal Login Credentials

The North Korean state-sponsored threat actor TA406, also tracked as Opal Sleet and Konni,...

Google Threat Intelligence Releases Actionable Threat Hunting Technique for Malicious .desktop Files

Google Threat Intelligence has unveiled a series of sophisticated threat hunting techniques to detect...

New Adobe Photoshop Vulnerability Enables Arbitrary Code Execution

Adobe has released critical security updates addressing three high-severity vulnerabilities (CVE-2025-30324, CVE-2025-30325, CVE-2025-30326) in...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Threat Actors Leverage Weaponized HTML Files to Deliver Horabot Malware

A recent discovery by FortiGuard Labs has unveiled a cunning phishing campaign orchestrated by...

TA406 Hackers Target Government Entities to Steal Login Credentials

The North Korean state-sponsored threat actor TA406, also tracked as Opal Sleet and Konni,...

Google Threat Intelligence Releases Actionable Threat Hunting Technique for Malicious .desktop Files

Google Threat Intelligence has unveiled a series of sophisticated threat hunting techniques to detect...