Bitcoin Depot breach exposes crypto ATM risks

Bitcoin Depot, one of the biggest operators in the crypto ATM business, has disclosed that hackers stole about 50.903 Bitcoin, valued at roughly $3.665 million, after gaining access to parts of its internal technology systems and taking control of credentials linked to its digital asset settlement accounts. The Atlanta-based company said the intrusion was discovered on March 23 and later judged material on April 6, before being disclosed in a Form 8-K filing dated April 8.

The company said the stolen assets came from company-controlled wallets rather than from customer accounts. In its filing, Bitcoin Depot said the breach was contained to its corporate environment and did not affect customer platforms, systems, divisions, data or environments. It also said it had not found evidence that personally identifiable information belonging to customers had been accessed or removed, although the investigation remains under way.

That distinction matters in a sector where hacks can quickly trigger fears over customer losses, frozen accounts and wider operational paralysis. Bitcoin Depot told investors the incident had not had a material impact on operations as of the filing date, though it said the event was material because of the potential for reputational damage, legal and regulatory exposure, and response costs. The company also said it carries insurance that may cover some cyber-related losses, but gave no assurance that the cover would be enough to recover all of the funds.

Bitcoin Depot activated its incident response plan, brought in outside cyber specialists and notified law enforcement after detecting the intrusion. The filing did not say how the attacker obtained the credentials or whether any internal control weakness had been identified, a gap likely to attract attention from investors and compliance teams already watching the crypto cash-access sector more closely. The company said it is strengthening its technology systems as part of remediation work aimed at preventing further unauthorised access.

The breach lands at an awkward time for Bitcoin Depot. The company reported 2025 revenue of $614.9 million, up 7% from the previous year, while net income fell to $5.1 million from $7.8 million. Management also warned in March that 2026 revenue from its core business could fall by 30% to 40% because of shifting regulation and tighter compliance standards. Those pressures had already been weighing on transaction activity before the cyber incident surfaced.

Bitcoin Depot has described itself as the largest and most compliant crypto ATM operator in North America. Company materials say it had the largest market share in North America and operated more than 9,000 kiosk locations globally as of August 2025, while its annual filing indicated roughly 9,700 active kiosks by the end of 2025 across the United States, Canada, Australia and Hong Kong. That scale gives the incident significance beyond the dollar amount involved, because a breach at a market leader tends to sharpen scrutiny of controls across the rest of the sector.

The wider backdrop is not encouraging. Chainalysis said stolen crypto funds remained a major threat in 2025, while TRM Labs estimated that illicit actors stole $2.87 billion across nearly 150 hacks during the year. Chainalysis also said individual wallet compromises surged in 2025, even though losses from those incidents were lower than in the prior year. The pattern suggests that while giant exchange and protocol breaches capture the biggest headlines, smaller compromises tied to credentials, phishing and operational systems remain a persistent source of damage.

Crypto ATMs sit in a particularly sensitive corner of that landscape because they bridge cash and digital assets in a format designed for speed and convenience. CertiK said losses linked to crypto ATMs reached $333.5 million in 2025, while the FBI said Americans filing cryptocurrency-related complaints reported more than $11 billion in losses overall. That does not place Bitcoin Depot’s breach in the same category as consumer scams, but it does underline how the sector is increasingly viewed through a dual lens of cyber risk and fraud prevention.