August 29th, 2022
While many large cryptocurrency thefts are performed by exploiting smart contracts, this is not the only way that cybercriminals can drain users’ wallets. In August 2022, General Bytes reported an attack against their Bitcoin ATMs that rerouted deposits to the attacker’s account.
General Bytes operates a network of over 13,769 ATMs with locations in more than 143 countries. These Bitcoin ATMs are not limited to the Bitcoin blockchain, allowing users to buy or sell over 40 different tokens.
The attackers took advantage of a zero-day vulnerability in the administration interface of the ATMs’ Crypto Application Server (CAS). After scanning the Internet for exposed CAS services running on ports 7777 or 443, the attackers exploited the vulnerability to gain administrator access to the ATMs and create a new administrator account.
This administrator access allowed the attacker to change the configuration settings of affected ATMs, adding their own address to the Invalid Payment Address setting. After this change was applied, invalid payments sent to General Bytes Bitcoin ATMs would be redirected to the attacker’s account.
The General Bytes attacker identified and exploited a vulnerability that has existed since 2020 despite multiple security audits. With administrator access to the Bitcoin ATM, the attacker could make configuration changes that enabled the theft of cryptocurrency.
This hack underscores the fact that cryptocurrency hacks are not limited to smart contract exploits or exposed private keys. Attacks at other levels of the blockchain ecosystem and targeting various blockchain endpoints can also pose threats to cryptocurrency and should be considered as part of a comprehensive and holistic blockchain security strategy.