Bitcoin Depot, a prominent operator of Bitcoin ATMs, has begun notifying approximately 27,000 customers of a data breach that compromised their sensitive personal information. The company first detected suspicious activity on its network on June 23, 2024. While Bitcoin Depot’s internal investigation concluded on July 18, 2024, public disclosure was withheld until federal agencies completed their parallel investigation into the incident, as per their request. This delay meant customers were not informed for nearly a year after the breach was initially identified.
The exposed data varies by individual but can include a wide range of personal identifiers, such as full names, phone numbers, driver’s license numbers, physical addresses, dates of birth, and email addresses. This type of information is commonly collected during Know-Your-Customer (KYC) verification processes, which crypto ATM operators in the U.S. are mandated to conduct under FinCEN regulations. The breach’s nature suggests that the unauthorized individual gained access to documents containing this sensitive customer data.
Given that the financial risk associated with this breach is primarily linked to cryptocurrency,
Bitcoin Depot did not offer identity monitoring or theft protection services to the affected individuals. Instead, the company has advised recipients of the notification to exercise heightened vigilance for any signs of fraud, diligently monitor their account statements for unusual activity, and strongly consider placing a security freeze on their credit reports to prevent unauthorized access to their financial information.
This incident at Bitcoin Depot echoes a similar security lapse that impacted another U.S. Bitcoin ATM operator, Byte Federal, in December 2024. Byte Federal’s breach affected a larger number of customers, totaling 58,000, and was attributed to hackers exploiting a vulnerability in GitLab to access a server containing sensitive customer data. These incidents highlight ongoing security challenges within the cryptocurrency ATM sector.
Despite the severity of the breach and the significant number of affected users, Bitcoin Depot has not yet provided a public comment regarding the security incident. This lack of immediate public statement follows BleepingComputer’s attempt to contact the company for further details. The incident underscores the critical importance of robust cybersecurity measures for companies handling sensitive customer data, especially within the rapidly evolving cryptocurrency landscape.
Reference:
