Oopsie: Bitcoin Depot's $3.6M 'Voluntary' Contribution to the Hacker's BTC Stash

Bitcoin Depot Inc. just learned a very expensive lesson about wallet security. The BTC ATM operator disclosed in an SEC filing Wednesday that hackers made off with approximately 50.9 BTC—worth a cool $3.665 million—in a March 23 security breach. Because when you run a crypto ATM business, apparently keeping your keys to yourself is just too mainstream.

The intruders breached the company's IT systems and snagged credentials for digital asset settlement accounts, allowing them to transfer the cryptocurrency without so much as a "please" or "thank you." Classic social engineering—no phishing email, no suspicious link, just straight-up credential harvesting like they were picking apples in an orchard called "Unsecured Credentials R Us."

After discovering the breach, Bitcoin Depot activated incident response protocols and called in external cybersecurity experts to patch things up and figure out exactly how the attackers waltzed in. Law enforcement has also been notified, though the company remained tight-lipped about which agencies are involved. Nothing says "we take security seriously" quite like frantically dialing 911 after the horse has already bolted with your stable's entire contents.

Customer-facing platforms and user data? Safe and sound, according to Bitcoin Depot. No unauthorized access there, thankfully. Small mercies, folks—at least someone's grandma's transaction history wasn't part of the loot this time.

As of this writing, Bitcoin Depot hasn't issued any public statement beyond the SEC filing. Decrypt reached out for comment but received no immediate response. Silence is golden, especially when that gold is currently sitting in a hacker's wallet, probably already through three mixers and a sushi dinner.

The company classified the incident as material, citing potential reputational damage alongside legal, regulatory, and incident response costs. The preliminary loss estimate sits at $3.665 million based on Bitcoin's value at the time of the heist. Notably absent from the disclosure: any mention of insurance coverage or how this might affect its ATM liquidity operations. Nothing to see here, just a small $3.6M "operational expense" that definitely won't show up on any balance sheet as "oops fund."

On the bright side, Bitcoin Depot is now requiring customers to verify their identity for every transaction—a "significant advancement" in fraud prevention, the Atlanta-based firm said. The phased rollout began earlier this month. Nothing like learning about KYC the hard way after someone's already taken your BTC to the cleaners. Better late than never, we guess?

This isn't Bitcoin Depot's first rodeo with security issues. In 2023, hackers previously accessed personal data for 58,000 users. The company has also faced increased regulatory scrutiny, leading to those stricter identity verification requirements. Twice in two years—some might call that a pattern, others might call it a "learning experience," and the SEC probably has a few other words for it.

The market's reaction? Shares in Bitcoin Depot (BTM) surged 15% during trading to close at $2.74, before ticking down after hours following the SEC disclosure. The stock is down 44% over the past 30 days. Because nothing says "investor confidence" quite like a stock chart that looks like a roller coaster designed by someone with a grudge against thrill seekers.