Bitcoin Depot Joins the 'Corporate Wallet Oopsie' Club with $3.7M March Mishap

Well, folks, it happened again. Another day, another crypto company learning that "security" is more of a suggestion than a requirement. Bitcoin Depot has confirmed that a hacker made off with 50.9 Bitcoin, approximately $3.7 million, after somehow waltzing right into internal systems connected to corporate wallets. At this point, we're practically keeping a leaderboard.

The breach occurred on March 23, because of course it did—a Friday night would be too obvious, and hackers apparently love ruining people's Mondays. The attacker obtained credentials tied to Bitcoin Depot's corporate BTC wallets, according to a Monday filing with the US Securities and Exchange Commission. Somewhere, a CISO is definitely updating their LinkedIn profile.

The company was quick to assure everyone that customer accounts, platforms, and personal data remained completely untouched. Bitcoin Depot also noted the attack hasn't significantly disrupted daily operations and that insurance coverage may offset some losses. Translation: "Don't panic, degens, your bags are fine. Ours, however..." Classic corporate damage control—shoot the messenger, then shoot the PR team.

"As the investigation of the incident is ongoing, the full scope, nature and impact of the incident are not yet completely known," the filing stated. A truly groundbreaking statement. We're genuinely shocked they didn't add "we're looking into it" and "no comment."

Now here's where things get weird. Shares of Bitcoin Depot surged on Wednesday, closing at $2.74, up $0.37 or 15.61% for the day, with pre-market trading pushing the price to $2.90, an additional 5.84% gain. That's right—the market responded to a $3.7M hack by mooning. Someone clearly bought the dip on their own company's misfortune. We admire the conviction, if not the ethics.

But wait, there's more! Beyond this security incident, Bitcoin Depot has been navigating intensifying legal and regulatory scrutiny across multiple US states. Connecticut recently suspended the company's money transmission license and issued a temporary cease-and-desist order, citing violations including excessive fees and failures to fully reimburse scam victims. It's almost like running a crypto ATM business comes with some... baggage.

Massachusetts has sued the company over allegations of overcharging and facilitating scams, while Maine saw Bitcoin Depot pay $1.9 million to compensate affected users. That's three states with pitchforks out. At this rate, they might need to incorporate as a defense contractor to avoid the regulatory heat.

For context, there are over 30,000 Bitcoin ATMs operating in the US. So yeah, this is definitely an industry-wide "could happen to anyone" situation. If you're running one of these machines, maybe—just maybe—don't use "password123" for your corporate wallet.

And because one breach wasn't enough for the vibes, in June 2024, Bitcoin Depot experienced a separate data breach exposing personal information of 26,732 customers. The incident traced to an external system, and authorities approved customer notifications after the investigation concluded in June 2025. That's two data disasters in under a year. Some companies have a security team; Bitcoin Depot apparently has a revolving door.