Bitcoin ATMs are becoming more common in the United States and pose a growing cybercrime threat, according to some experts. ATMs that accept bitcoins are similar to their cash counterparts: PINs must be entered and withdrawal fees apply, just like any other ATM.
Unlike ATMs, which high value of crypto makes them a prime target for hackers. So while an ATM hidden among the snacks and energy drinks at a gas station might not attract much attention, a Bitcoin ATM will get a closer look from scammers.
“It is clear that these machines are particularly vulnerable to physical and cyber threats, making them a prime target for hackers and thieves,” said Timothy Bates, clinical professor of cybersecurity at the University of Michigan College of Innovation and Technology.
Bitcoin ATMs can be vulnerable to attacks where hackers install malware on the devices to intercept private keys, steal funds or tamper with transactions, which Bates said is “particularly concerning for ATMs that may not receive regular software updates or security patches.” Network vulnerabilities are also a vulnerability. “If the device’s network communications are not adequately secured, attackers can intercept data transmissions between the ATM and the server, which can lead to data theft or unauthorized access,” Bates said.
Whether hackers or scammers, the government is sounding the alarm about Bitcoin ATMs. The Federal Trade Commission reported this week that scams have increased 1,000% since 2020.
Ironically, the risks of a Bitcoin ATM are directly related to its strengths, said Joe Dobson, senior analyst at Mandiant, a Google Cloud-owned cybersecurity company. Bitcoin is decentralized, permissionless and immutable. “A transaction cannot be reversed or recalled if funds are deposited to the wrong address,” Dobson said. And while many crypto bulls find Bitcoin’s lack of governance attractive, that can be problematic with ATMs. “There is no governing body in Bitcoin that dictates who can and cannot operate a Bitcoin ATM, so many independent organizations operate the ATMs,” Dobson said.
There are also old criminal tricks that might be reversible in a traditional banking situation, but that’s not the case in the world of Bitcoin. For example, someone with malicious intent could put their personal deposit slips in the stack at the bank and trick people into depositing money into their account. “A similar attack can happen with Bitcoin ATMs,” Dobson said. “If an attacker compromises a Bitcoin ATM, they can change the receiving wallet address (or ‘account number’), effectively stealing user funds.”
But in addition to the old tricks, there are newer dangers that Bitcoin ATMs pose that cash machines don’t face. Many Bitcoin ATMs require personal information, such as an ID or even a social security number, to comply with the financial industry’s Know Your Customer (KYC) requirements. This information could be at risk if a Bitcoin ATM is compromised.
In Middletown, Ohio, at the Middletown Food Mart in a hollowed-out part of town, a Bitcoin Depository The ATM is located across from a regular ATM and is hidden among potato chips, bottled water, and beer. Middletown has recently become best known as the hometown of Donald Trump’s running mate, Ohio Senator JD Vance, who, like Trump, has reinvented himself as a cryptocurrency proponent. The Middletown Food Mart is located across the street from where Vance grew up.
“Elon Musk told me to do it.”
Sai Patel, whose family owns the Middletown Food Mart, says the Bitcoin ATM is not very busy.
“Maybe once a month someone will come by to use it,” Patel said. And if it’s someone new, Patel patiently explains how the machine works. He also keeps an eye out for unusual activity. While the Bitcoin ATM doesn’t exactly draw crowds, Patel said a surprising number of seniors come to the kiosk, which is alarming given the increasing number of Bitcoin ATM scams targeting seniors.
“Older people come in and use it,” Patel said.
He described an encounter in which an elderly woman entered his store and went to the Bitcoin ATM. She then tried to send a lot of money somewhere but had questions about how to use the machine. When Patel asked the woman a few questions about why she was doing it, she said, “Elon Musk told me to do this.” Patel quickly realized she had fallen victim to a scam. “I told her, no, no, no, this is a scam,” Patel said, and he stopped her from putting her entire life savings into the machine.
Alice Frei, head of security and compliance at blockchain communications and advisory agency Outset PR, says Bitcoin ATM fraud is costly and is exacerbated by the sometimes shady world of cryptocurrencies.
“Cryptocurrencies can be easily exchanged online, often without the parties involved being clearly identified. Criminals exploit this anonymity and move money almost invisibly, often using techniques such as cross-blockchain ‘bridges’ to further obscure transactions,” she said.
And then there’s the fact that an ATM scam is unlikely to originate in the city it takes place in. “Many crypto exchanges involved in these activities are based abroad, outside the reach of regulators, making it difficult to track down and recover stolen funds,” Frei added.
Basic Steps to Avoid Bitcoin ATM Scams
To protect themselves from these scams, users should be cautious and skeptical of any request to pay via a Bitcoin ATM. Legitimate companies rarely, if ever, ask for payment in Bitcoin via an ATM.
“Verifying the legitimacy of a transaction, especially checking the recipient’s wallet for links to questionable companies, is crucial,” Frei said, adding that users should also use licensed ATMs from reputable operators to mitigate risk.
According to Frei, there are steps users can take to verify the ownership and legitimacy of a Bitcoin ATM or the parties involved in transactions.
“You can verify the recipient address by looking for flagged activity on platforms like Chainabuse and performing an AML check on the address using available tools,” she said. If these tools show a risk score above 70%, it is advisable to stop sending money. “Instead, contact the ATM operator or the person who provided the address to clarify the situation,” Frei added.
According to Frei, the data shows that almost 74% of ATMs worldwide are managed by just ten operators.
The largest Bitcoin ATM operator, Bitcoin Depot, operates over 8,000 machines. Its CEO Brandon Mintz says the company’s machines are designed to deter hackers. However, he also disputes claims that Bitcoin ATMs are a prime target for hackers.
“Bitcoin ATMs are not typically high-priority targets for cybercriminals due to the separation of the hardware and bitcoin wallet environments,” Mintz said. Bitcoin Depot does not store bitcoins locally at a bitcoin ATM and there are many layers of verification and approval processes that prevent unauthorized access to the Bitcoin Depot wallet, he said.
In addition, Mintz says most Bitcoin ATMs, including Bitcoin Depot, only accept cash, so criminals can’t use card readers like they can install on traditional ATMs. However, he says users need to be aware of the scam and that some of the same basic protocols that protect consumers from old-fashioned financial scams apply in the cryptocurrency world.
“Bitcoin ATM customers should never send bitcoins or other cryptocurrencies to unknown digital wallets or people they do not know and trust. It is important to remain vigilant and skeptical of anyone requesting cryptocurrency payments, especially if the request is accompanied by a sense of urgency or threat,” Mintz said.
As a market leader, Bitcoin Depot has been the target of litigation and the company disclosed in its S-1 filing prior to its IPO that its users “have been and could be the target of cybersecurity incidents such as account takeovers.” A South Carolina woman sued Bitcoin Depot after falling victim to an alleged cryptocurrency scam. In another case, authorities in Texas intervened to return money from a Bitcoin Depot ATM after a woman fell victim to a scam.
And that points to a central irony of bitcoin and bitcoin ATMs, products of technology, where the most powerful weapon against fraud is not technology but responsibility, Dobson said. “With cryptocurrencies, the user’s responsibility is paramount. There is little compensation when things go wrong. The responsibility to take action is largely on the user.”
