Bitcoin Depot’s 3-Day Security Nap: $3.7M Walks Out While the Lights Were Off

Bitcoin Depot just made headlines again, and not because they fixed their Wi-Fi—this time, it’s a $3.665 million vanishing act on March 23rd. The Bitcoin ATM overlord, fresh off appointing new CEO Alex Holmes on March 26th (bad timing or perfect timing?), also casually dropped a bombshell: expect revenues to plunge by 40% this year. Nothing says “new management” like a forensic audit and a burning pile of missing BTC.

Turns out, an attacker waltzed into internal systems using stolen credentials and helped themselves to 50.903 BTC—because nothing says “digital heist” like walking out with five digits in crypto while the guards check their Slack. The trail went cold fast, but not cold enough: the loot was spotted heading toward deposit addresses at KuCoin, like a tourist depositing stolen art at a sketchy pawn shop.

But here’s where it gets spicy: on-chain Sherlock ZachXBT noticed the suspicious outflows actually kicked off on March 20th. That’s right—three whole days of silent looting before Bitcoin Depot even realized the vault door was ajar. Either someone forgot to set the alarm, or they’re running security like it’s a side hustle funded by a 2017 ICO.

Users, naturally, lost their collective minds. One degen put it best: "A 3-day delay is too long for such a significant security breach." To be fair, that’s two days longer than it takes most people to realize they’ve left their seed phrase in a group chat with their mom.

The crypto equivalent of a home invasion while the homeowner is binge-watching Netflix continues to play out: threat actors move like they’re on espresso, while corporate security moves like they’re on dial-up. No wonder the scams keep winning—this isn’t Whac-A-Mole, it’s Whac-A-Slow-Motion-Mole.

In a rare plot twist, the good guys actually scored a W recently: Bybit’s risk control squad intercepted an attack aiming to steal nearly $1 billion using tactics straight out of the Mt. Gox playbook. Fake deposits? Tried and failed. Shoutout to the unsung heroes staring at dashboards at 3 AM, sipping cold brew and saving the exchange from becoming a cautionary tale.

Meanwhile, ZachXBT’s detective hat stayed firmly on, uncovering a slick $1 million-per-month crypto scam run like a DPRK side gig. An internal North Korean payment server allegedly puppeteered over 390 accounts, laundering the loot into fiat through Chinese bank accounts via platforms like Payoneer—because apparently, even rogue states need to pay their internet bill.

Law enforcement and blockchain sleuths are grinding hard, but the gap between hackers and defenders remains wider than a memecoin’s token supply. Until companies treat security like it’s not an afterthought, the heists will keep coming—right on schedule, and always during someone’s “security nap.”