Zero Day in Bitcoin ATMs Exploited in a Crypto HeistAttack Comes Days After General Bytes Introduced 'Help Ukraine' Feature
A zero-day vulnerability in software powering General Bytes bitcoin ATM servers went undetected for nearly two years before hackers used it to steal cryptocurrency, the company says.
The Czech company says the incident resulted in $16,000 being stolen through six operators of its automated crypto-to-fiat currency conversion machines.
A company executive tells Information Security Media Group the hackers may have been motivated by vengeance against its pro-Ukraine posture. The attack came just days after General Bytes announced a "Help Ukraine" feature on its ATMs.
"The only coincidence is that three days before the attack, we introduced a feature that helps people donate Bitcoins to the Ukraine government via a special button on the ATM screen," said Martijn Wismeijer, General Bytes marketing manager, in an email. The attack originated in the Caucasus country of Georgia, "where a higher number of Russian IT professionals live, this could be the reason," Wismeijer said, although he acknowledged that "this is pure speculation."
Blockchain analysis company Elliptic estimates the Ukrainian government received more than $60 million in donated cryptocurrency in the weeks following Russia's invasion. Ukraine says the donated digital currency has gone to buying supplies ranging from digital rifle scopes to fuel.
Wismeijer confirmed the company received an extortion demand after details of the vulnerability and its subsequent fix were publicly released. It's unclear what connection, if any, the demand has with the attackers, he said. It "came from somebody unable to provide single proof that he was the one behind the attack."
The General Bytes executive said the vulnerability came to light when two customers separately reported changes in their ATM settings without their authorization on the same day. The company websites says it's sold more than 13,300 ATMs with at least one present in nearly every country across the globe. It has released a patch to plug the vulnerability.
The Zero-Day Flaw
The zero-day exploited in the attack was located in the company's Crypto Application Server, software for managing Bitcoin ATMs from a central location through a web browser. The vulnerability stems from a December 2020 upgrade that added an ATM configuration wizard the company dubbed FastTrack.
The wizard was intended to be used once, but hackers used it to create a new default admin user. They then substituted a new wallet address into the settings to receive funds from the ATMs.
Before exploiting the vulnerability, the attacker scanned for General Bytes and other ATM servers on DigitalOcean's cloud hosting service, Wismeijer said.
Legally, General Bytes is not liable to reimburse customers for lost funds, Wismeijer said. The company is nonetheless considering reimbursing affected customers.
"We want to express that we are deeply sorry for the security issue we have caused, and none of our security protocols caught it. We will level up our security procedures to prevent this kind of vulnerability in the future," Wismeijer said.