General Bytes was attacked from quite an unexpected direction. The hacker was able to remotely download and run a malicious Java application using the company’s video upload service. We are unsure why this service was needed for an ATM, but we guess it was used to upload commercials of the company’s advertising partners.
After an investigation, General Bytes discovered that the 21 wallets connected to the hacker were deposited with nearly 56 BTCs worth more than $1.5 million and nearly $37,000 worth of 21.82 Ether. General Bytes patched the vulnerability within 15 hours after learning of it, but the losses were unrecoverable.
General Bytes, based in the Czech Republic, is one of the largest manufacturers of cryptocurrency ATMs. The company mainly focuses on Bitcoin, but also works with other cryptocurrencies. According to General Bytes, they have already sold more than 15,000 terminals in 149 different countries.
The attack occurred on March 17-18, and on March 19, General Bytes tweeted the incident and attached a link to a detailed report to the post.
On March 17-18th, 2023, GENERAL BYTES experienced a security incident.
— GENERAL BYTES (@generalbytes) March 18, 2023
We released a statement urging customers to take immediate action to protect their personal information.
We urge all our customers to take immediate action to protect their funds and https://t.co/fajc61lcwR…
As General Bytes wrote in its report, the hacker got “ability to access the database, ability to read and decrypt API keys used to access funds in hot wallets and exchanges, send funds from hot wallets, download user names, their password hashes and turn off 2FA, ability to access terminal event logs and scan for any instance where customers scanned private key at the ATM. Older versions of ATM software were logging this information.”
General Bytes disclosed that they “concluded multiple security audits since 2021, and none of them identified this vulnerability.”
After the incident General Bytes has completely stopped their Cloud service. They have also released two patches for servers that fix the vulnerability. The company recommended its clients recreate their keys and passwords and apologized:
“We apologize for what happened and will review all our security procedures and are currently doing everything we can to keep our affected customers afloat. <…> We are collecting data from our clients to validate all the losses; along with internal investigation, we will cooperate with authorities to do everything we can to identify the perpetrator.”
This is another proof that so-called hot wallets are not safe and the amount of crypto assets held on such accounts should be minimal. We wish a quick recovery to all affected and continue to Observe.
