Bitcoin ATMs are popping up across the United States, offering folks a really convenient way to buy or sell BTC. And while they may look harmless, tucked into convenience stores and gas stations, they are fast becoming hotspots for cybercriminals.
Hackers are finding ways to exploit the very features that make BTC so appealing to users: its lack of regulation and irreversible transactions.
Timothy Bates, a cybersecurity expert at the University of Michigan, says these machines are vulnerable to both physical and digital attacks.
“Bitcoin ATMs are particularly exposed to cyber threats because they often don’t get regular security updates.”
The Federal Trade Commission (FTC) recently reported a 1,000% increase in Bitcoin ATM fraud since 2020.
It’s not hard to see why: BTC’s decentralized nature means there is no central authority to oversee these ATMs or undo fraudulent transactions.
Joe Dobson, principal analyst at Mandiant, explained that this is a major issue. “Once funds are sent to the wrong wallet, they’re gone. No one can reverse that,” he said.
If the ATM’s network is not secure, attackers can intercept data between the machine and the server. Bates warns:
“This kind of attack can lead to data theft or unauthorized access to user funds.”
Bitcoin ATMs also present new risks not seen with traditional cash ATMs. To comply with Know Your Customer (KYC) laws, these machines often require users to provide personal information such as an ID or Social Security number.
If an ATM is compromised, this sensitive information could be stolen.
A case in South Carolina involved a woman suing Bitcoin Depot, the largest operator of Bitcoin ATMs, after she lost money to a scam. Authorities in Texas had to step in to help another victim recover her funds after falling prey to a similar scheme.
Bitcoin Depot operates over 8,000 ATMs, and while CEO Brandon Mintz claims the machines are designed with security in mind, fraud continues to be an issue.
“Our machines only accept cash, which eliminates some risks that traditional ATMs face,” said Mintz.
Still, fraud is not something the company can fully avoid. In Bitcoin Depot’s S-1 filing with the Securities and Exchange Commission (SEC), the company admitted that its users have been and could be targeted by cybercriminals.
Bitcoin ATMs have become easy prey for scammers looking to change receiving wallet addresses and steal funds.
Mintz and other experts agree that user responsibility is the key to avoiding fraud at Bitcoin ATMs. Mintz advises customers to avoid sending BTC to unknown wallets or to individuals they don’t know.
“When it comes to cryptocurrency, the onus is on the user. If something goes wrong, you can’t rely on technology to fix it for you.”
While many in the crypto community appreciate Bitcoin’s lack of centralized control, it creates an environment where fraud can thrive unchecked.