Security News > 2022 > August > Bitcoin ATMs leeched by attackers who created fake admin accounts
You wouldn't know it from visiting the company's main website, but General Bytes, a Czech company that sells Bitcoin ATMs, is urging its users to patch a critical money-draining bug in its server software.
Not all countries have taken kindly to cryptocurrency ATMs - the UK regulator, for example, warned in March 2022 that none of the ATMs operating in the country at the time were officially registered, and said that it would be "Contacting the operators instructing that the machines be shut down".
As far as we can tell, CAS is short for Coin ATM Server, and every operator of General Bytes cryptocurrency ATMs needs one of these.
Using this new admin account to reconfigure existing ATMs. Diverting all invalid payments to a wallet of their own.
Perhaps because of the fact that this exploit relied on invalid payments, rather than allowing the attackers to drain ATMs directly, overall financial losses in this incident don't run into the multimillion dollar amounts often associated with cryptocurrency blunders.
The company also automatically deactivated any ATMs that it was managing on behalf of its customers, thus requiring those customers to login and review their own settings before reactivating their ATM devices.