APT Catchers? More Like APT Snoozers: Bitcoin Depot's $3.6M Breach Notice Lands 3 Days Late

Bitcoin Depot finds itself trending for all the wrong reasons after revealing a cyberattack that cost the company $3.665 million—because nothing says "we take security seriously" like announcing a $3.6M heist three days after it happened. Classic delayed gratification, crypto style.

The Bitcoin ATM giant—which boasts the highest number of Bitcoin ATMs in the game—filed an 8K report with the SEC revealing the exploit occurred on March 23rd. Threat actors compromised credentials to access internal systems and walked away with 50.903 BTC. That's roughly 50.903 reasons why password hygiene matters, folks. Protip: "password123" is not a security posture.

Here's the kicker: blockchain detective ZachXBT traced the suspicious outflows back to March 20th. That's a three-day window where $3.6M in customer funds went MIA while presumably nobody was watching the monitors. Three days. That's basically a long weekend in crypto time. Meanwhile, their monitors were probably displaying a "No signal" screen because someone kicked the HDMI cable behind the server rack again.

The timing gets spicier when you consider Bitcoin Depot also appointed new CEO Alex Holmes on March 26th—three days after the hack went public. Whether these events are connected remains unclear, but it's certainly an interesting coincidence. Nothing like a fresh face in the corner office right when everything's on fire. "Who moved the goalposts into my inbox?" - New CEO energy, probably.

The company now projects a 40% revenue decline, citing security and regulatory headwinds as contributing factors. Users weren't buying the delay, with one commenter stating: "A 3-day delay is too long for such a significant security breach." Can't argue with that logic—except maybe by saying "our lawyers advised us to sit on this like a dragon on gold."

In related crypto crime news, ZachXBT also uncovered a North Korean operation siphoning roughly $1 million monthly through 390 accounts. Funds were converted to fiat via Chinese bank accounts and platforms like Payoneer—classic DPRK IT worker patterns, apparently. Meanwhile, actual IT workers everywhere are rightfully annoyed that this trope exists.

On the bright side, Bybit's risk control team blocked a fake deposit attack attempting to steal approximately $1 billion using methods similar to the Mt. Gox exploit. Sometimes the good guys catch the W. Someone at Bybit deserves a very nice lunch after this one.

Bitcoin Depot's three-day detection window serves as yet another reminder: when it comes to security, noticing breaches quickly isn't optional—it's basic table stakes. If your breach detection timeline looks like a sloth on melatonin, maybe