back to article Attackers hit Bitcoin ATMs to steal $1.5 million in crypto cash

Unidentified miscreants have siphoned cryptocurrency valued at more than $1.5 million from Bitcoin ATMs by exploiting an unknown flaw in digicash delivery systems. According to General Bytes, the outfit that sold the ATMs and had managed some of them with a cloud service, the attackers used an interface designed to upload …

  1. GreenJimll

    A more general cloud computing reminder

    I think I'm going to have to print out this quote to stick on the office wall for use when anyone at work suggests moving valuable data to a share cloud hosted platform:

    'General Bytes said it is shutting down its cloud services, noting it is "theoretically (and practically) impossible to secure a system granting access to multiple operators at the same time where some of them are bad actors."'

    1. Version 1.0 Silver badge
      Joke

      Re: A more general cloud computing reminder

      When you see clouds, then it's probably going to rain somewhere, LOL here's an updated Brendan Behan quote:

      "I have never seen a situation so dismal that a cloud couldn't make it worse."

    2. doublelayer Silver badge

      Re: A more general cloud computing reminder

      Of course there is. This isn't an indictment of cloud. It's an indictment of their security and their ability to build a system. Anyone run a VPN endpoint, including one that operates from on prem hardware? How about a public service? A server that accepts SSH connections without going through that VPN endpoint first? All these things are "a system granting access to multiple operators at the same time where some of them are bad actors", no matter who owns the box on which the service runs.

      These operators screwed up their own security by insufficiently checking the authorization of people uploading code. It would not have mattered if they bought their own servers to run that code, because just by putting their insecure system on the public internet, they made the problem happen. There are two solutions to this problem: make a proper system that has security planned in and tested or operate the insecure junk in a closed network with no public access. Either could have worked. Both would probably be best for something this sensitive. They chose neither. Anyone who thinks this is a reflection on cloud, including the designers of the system themselves, does not understand cloud or security.

  2. Alan J. Wylie

    The baddies scanned DigitalOcean's IP address space and found Crypto Application Server (CAS) services on port 7741

    Have General Bytes never heard of Ipsec and VPNs?

    1. Anonymous Coward
      Anonymous Coward

      In my opinion, anyone who designs and releases something on the Net without at a minimum a simple nmap and nessus scan check should not be allowed to put something online. Doubly so if it transacts something that occasionally representes real money.

      There is no defence here.

      1. Anonymous Coward
        Anonymous Coward

        There is no defence here.

        If I was a developer in something scammy like crypto, maybe I would consider some security flaws to be a natural part of my Early Retirement Portfolio, or Fuck-Off Money, or just Fuck You "team lead"

        Kevin!? Crypto Tradition has it that someone is going to loot the assets, and why not the working classes for once?

        I have worked a few places where critical infrastructure is built and provided; some of those have stuff like: Rah-Rah meetings, free pizza, onsite cocktail bar, and even table football to compensate for low pay, long hours and hostile management. People who work there for more than 2 years, they tend to run out of fucks to give, and much longer than that, they will start plotting their revenge.

        Much of those systems that we take for granted and depend on, are garbage. It just hasn't been hacked yet or the hacking didn't make the news.

    2. spuck

      They may have heard of them, but you don't get those for the $5/month plan at Digital Ocean.

  3. lglethal Silver badge
    Facepalm

    Why is it that whenever I hear about something like this involving Crypto my first thought is :"Inside Job!"

    A previously undiscovered vulnerability. Yep, sure. Cynical, moi?

    And "the attackers used an interface designed to upload videos" why on Earth do you have an interface on an ATM to upload videos? My only guess would be something to do with putting ads on the machine, but then why on Earth would that let you anywhere near the Admin console.

    There are so many fails here it's hard to quantify (although of course the first is that it's to do with Crypto, so...)

    1. Rob

      "My only guess would be something to do with putting ads on the machine, but then why on Earth would that let you anywhere near the Admin console."

      I think you've highlighted the common problem. Crypto money is a gold rush and as such companies are rushing to get involved and not taking the time to develop their software to the point of better security. I agree why on earth would you want to upload videos, if it is for Ads I would be running a seperate bit of software to serve adds to this system but that would require time to build and develop and cut into their first profit earnings.

      1. Anonymous Coward
        Anonymous Coward

        Crypto money is a gold rush scam.

        Fixed it for you. The need for speed is mainly because they want to push the money they make as quickly through all the shell companies before they run away. IMHO, FTX's main problem was trying to run the scam for too long. If they had packed up and bailed before it became too obvious that it was a house of cards, law enforcement would still be looking for them (although SFB would have been caught anyway as he's far too keen on attention, not the best of attributes if you're running a pyramid scheme).

    2. Tom66

      Even if it isn't an inside job, it just seems like there is so much fraud, theft and corruption in the cryptocurrency world. And when was the last time you heard of what is essentially a bank robbery leaving customers actually out of pocket? It's unsustainable.

      1. Anonymous Coward
        Anonymous Coward

        Hmmm.... Black Monday (the Wall Street crash of 1987), the Great Crash of 1929, the collapse of the gold market in 1869...

        Most of those were the triggering events for the regulations we have (or had until people started taking them apart...)

        1. Not Yb Bronze badge

          Retail bank customers were mostly safe on Black Monday, as were S&L depositors who didn't have more than the insured amount on deposit. The FDIC has gotten much better at resolving bank problems without resorting to "pennies on the dollar" returns to depositors these days.

    3. An_Old_Dog Silver badge

      Video Upload Interface on (Crypto) ATMs

      why on Earth do you have an interface on an ATM to upload videos?

      So the camera built into the crypto ATM can take movies of people using the machine (and perhaps of passers-by who may be "crypto-curious"), said movies to be sold for profit.

      1. lglethal Silver badge
        Trollface

        Re: Video Upload Interface on (Crypto) ATMs

        Let me guess the movie title:

        "How to spot a sucker?"

  4. Anonymous Coward
    Anonymous Coward

    Crypto just wants to have fun

    Set it free!

    Don’t fence it in.

  5. Howard Sway Silver badge

    Attackers hit Bitcoin ATMs

    I'm a little disappointed that this story isn't one of those where they used explosives to try and open the machine up, because they were hoping to get at all the bitcoins kept inside it.

    The complete ignorance of how networks need to be secured in order to prevent this most basic of exploits is however completely to be expected from the crypto world.

  6. JacobZ

    No honour among thieves

    "You've got your exploit in my scam!"

    "No, you've got your scam in my exploit!"

  7. Captain Scarlet
    Coat

    by default, configured to start applications in its deployment folder

    This to me just feels lazy, a bit like the Autorun folder in Windows and Autorun for external media which is far to easy to exploit.

    Why does no-one ever learn.

  8. Plest Silver badge
    Facepalm

    So...

    You take the world most popular scam right now, ie crypto-shitcoin, you allow access via an unsupervised console in a public place using code that's handling financial transactions but has not been properly battle-tested like real ATM code?

    Yeah, can't imagine why that didn't go so well!

    1. drand

      Re: So...

      ...but it has blockchain! How can it fail?

      1. Anonymous Coward
        Anonymous Coward

        Re: So...

        Snicker.

        "If I had to list all the failure modes, I wouldn't have time to exploit any of them..."

        I think the better question is formulated as: "... but it has blockchain! How could it possibly NOT fail?"

  9. Anonymous Coward
    Anonymous Coward

    There's an additional take from this article: 15,000 ATMs have performed 15,000,000 transactions? 1,000 transactions per system on average is absurdly low. They must be bleeding money.

    1. lglethal Silver badge
      Go

      Not any more perhaps! :P

      The cynic in me, says they've now got a reason to walk away from the business, shut down their servers, and all the costs associated, AND they've trousered $1,5 million to boot.

      Not a bad way to shut down an underperforming business.

      Then again maybe they were hit by external attackers. Maybe... *cough*

      1. Insert sadsack pun here

        " they've now got a reason to walk away from the business, shut down their servers..."

        ...and all their books and records will be destroyed, which is really unfortunate for a cross-border bitcoin atm operator...

    2. spuck

      The local shopping mall has a crypto ATM in the food court. The one time I saw someone using it, it was a 55-60 year old woman, who was obviously having a difficult time understanding what she was supposed to be doing. I was 90% sure she had been sent there by some scammer to buy Bitcoins to pay off a ransomware or mule scam.

      When I've looked at these sorts of ATMs in the past, I've had a hard time understanding why anyone in the know would use them. The exchange rates have always been so outrageous that the only time I would think they get any transactions at all have to be the result of a money-laundering scam of some sort.

      If you see someone using one a crypto ATM, ask them gently if they are being pressured to buy Bitcoin and encourage them to contact the police.

      1. guavatree

        “ If you see someone using one a crypto ATM, ask them gently if they are being pressured to buy Bitcoin and encourage them to contact the police.”

        Great advice! Why did you not do this when you saw the woman who you were 90% sure was being scammed?

    3. Jaybus

      Yes, but the execs already got their bonuses for selling them to suckers. Sometimes there are scams within scams within scams.

  10. Glenn Amspaugh

    Movie Quote Time

    "Now comes the part where we throw our heads back and laugh." – George Of The Jungle

  11. Cliffwilliams44 Silver badge

    Crypto ATM

    "What could possibly go wrong!?"

    -- Timmy Turner

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like