Unauthorized transfer of 50.903 Bitcoin from Bitcoin Depot corporate wallets
Summary
Hide ▲
Show ▼
Attackers breached Bitcoin Depot’s corporate IT systems on March 23, 2026, and exfiltrated approximately 50.903 Bitcoin (valued at $3.665 million) from the company’s controlled wallets before access was blocked. The intrusion targeted Bitcoin Depot’s corporate environment and did not affect customer-facing platforms, systems, or data. The company activated incident response protocols, engaged external cybersecurity experts, and notified law enforcement and regulators, including the SEC.
Timeline
-
09.04.2026 10:44 1 articles · 23h ago
Bitcoin Depot reports $3.665 million theft from corporate Bitcoin wallets following March 2026 intrusion
On March 23, 2026, Bitcoin Depot discovered unauthorized access to its corporate IT systems and activated incident response procedures. Attackers exfiltrated approximately 50.903 Bitcoin from company-controlled wallets before access was blocked. The company reported the incident to law enforcement, engaged external cybersecurity experts, and filed a material incident report with the SEC on April 6, 2026.
Show sources
- Hackers steal $3.6 million from crypto ATM giant Bitcoin Depot — www.bleepingcomputer.com — 09.04.2026 10:44
Information Snippets
-
Bitcoin Depot operates over 25,000 Bitcoin ATMs and BDCheckout locations globally with 2025 revenue of $615 million.
First reported: 09.04.2026 10:441 source, 1 articleShow sources
- Hackers steal $3.6 million from crypto ATM giant Bitcoin Depot — www.bleepingcomputer.com — 09.04.2026 10:44
-
The breach was detected on March 23, 2026, following suspicious activity in the company’s IT systems.
First reported: 09.04.2026 10:441 source, 1 articleShow sources
- Hackers steal $3.6 million from crypto ATM giant Bitcoin Depot — www.bleepingcomputer.com — 09.04.2026 10:44
-
Unauthorized actors transferred approximately 50.903 Bitcoin ($3.665 million at time of report) from Bitcoin Depot’s corporate-controlled wallets before access was blocked.
First reported: 09.04.2026 10:441 source, 1 articleShow sources
- Hackers steal $3.6 million from crypto ATM giant Bitcoin Depot — www.bleepingcomputer.com — 09.04.2026 10:44
-
The incident was contained to Bitcoin Depot’s corporate environment and did not impact customer platforms, divisions, systems, data, or environments.
First reported: 09.04.2026 10:441 source, 1 articleShow sources
- Hackers steal $3.6 million from crypto ATM giant Bitcoin Depot — www.bleepingcomputer.com — 09.04.2026 10:44
-
Bitcoin Depot maintains cyber insurance but states coverage may not fully offset incident-related losses, including reputational, legal, regulatory, and response costs.
First reported: 09.04.2026 10:441 source, 1 articleShow sources
- Hackers steal $3.6 million from crypto ATM giant Bitcoin Depot — www.bleepingcomputer.com — 09.04.2026 10:44
-
In 2025, Bitcoin Depot notified nearly 26,000 individuals of a 2024 data breach involving exposure of personal information (full names, addresses, dates of birth, driver’s license numbers, email addresses, and phone numbers).
First reported: 09.04.2026 10:441 source, 1 articleShow sources
- Hackers steal $3.6 million from crypto ATM giant Bitcoin Depot — www.bleepingcomputer.com — 09.04.2026 10:44
Similar Happenings
Drift Protocol administrative takeover and $285 million loss via Security Council manipulation on Solana
Drift Protocol’s April 1, 2026, $285 million loss was the culmination of a six-month in-person social engineering campaign, where North Korea-linked threat actors (UNC4736, a.k.a. AppleJeus/Labyrinth Chollima) infiltrated the ecosystem by posing as a quantitative trading firm at crypto conferences. The attackers compromised contributors via malicious code repositories (exploiting VSCode/Cursor vulnerabilities) and fraudulent TestFlight wallet applications, enabling them to hijack Security Council multisig controls. Post-takeover, they deployed the CarbonVote Token as collateral, removed withdrawal limits, and drained funds across deposits and trading accounts within minutes. Drift has frozen all protocol functions, flagged attacker wallets globally, and is collaborating with intelligence firms (Elliptic, TRM Labs) and law enforcement to trace and recover stolen assets. On-chain analysis confirms North Korean involvement, aligning with prior state-sponsored campaigns targeting crypto infrastructure.
UNC4899 Exploits AirDrop to Compromise Crypto Firm's Cloud Environment
UNC4899, a North Korean threat actor, breached a cryptocurrency firm in 2025 by exploiting an AirDrop file transfer to a developer's work device. The attackers used social engineering to deliver a trojanized file, then pivoted to the cloud environment, employing living-off-the-cloud (LOTC) techniques to steal millions in cryptocurrency. The attack involved abusing DevOps workflows, harvesting credentials, and tampering with Cloud SQL databases. The incident highlights risks associated with personal-to-corporate P2P data transfers, privileged container modes, and insecure handling of secrets in cloud environments.
ShinyHunters Breach Affects Checkout.com Legacy Cloud Storage
Checkout.com, a global payment processing firm, disclosed a data breach involving a legacy cloud storage system compromised by the ShinyHunters threat group. The breach affected less than 25% of its current merchant base and included data from 2020 and earlier. The company refused to pay the ransom and instead plans to donate the amount to cybersecurity research at Carnegie Mellon University and the University of Oxford Cyber Security Center. The compromised data includes internal operational documents and onboarding materials. ShinyHunters is known for exploiting vulnerabilities and using social engineering tactics to extort large organizations.