Crypto Heist at the Kiosk: Inside the $3.6 Million Bitcoin Depot Breach

It was a quiet weekend in March when Bitcoin Depot, the behemoth behind thousands of cryptocurrency ATMs dotting American sidewalks, discovered that millions of dollars had vanished into the digital ether. The company’s internal alarms had tripped: an outsider had commandeered its settlement accounts, draining over 50 Bitcoin - worth a staggering $3.6 million - right out from under their noses. The breach was swift, sophisticated, and devastatingly effective.

Fast Facts

• Bitcoin Depot lost approximately $3.6 million in Bitcoin during a March 23 cyberattack.
• Attackers breached company systems and seized credentials for digital asset settlement accounts.
• No customer data or platforms were reportedly affected, according to Bitcoin Depot.
• Bitcoin Depot operates over 9,000 cryptocurrency ATMs across 47 U.S. states.
• Crypto thefts in 2025 alone reached $3.4 billion, with high-profile attacks continuing into 2026.

According to a filing with the Securities Exchange Commission, Bitcoin Depot’s nightmare began when a threat actor “gained access to certain systems and obtained control of credentials associated with the company’s digital asset settlement accounts.” The result was the unauthorized transfer of nearly 51 Bitcoin - valued at $3.665 million at the time - directly from company-controlled wallets.

The company insists that the incident was contained to its corporate environment and did not compromise customer accounts, platforms, or data. Yet, the breach underscores a growing trend: as cryptocurrency adoption expands, so too does the sophistication and frequency of cyberattacks targeting the industry’s infrastructure. Bitcoin Depot’s 9,000+ kiosks serve as physical gateways between cash and crypto for millions of Americans, making its backend systems a lucrative target for cybercriminals.

Outside cybersecurity experts have been called in, and law enforcement agencies are now on the case. The company’s SEC disclosure signals the seriousness of the incident - not just for immediate financial loss, but for potential legal, regulatory, and reputational fallout. With the investigation ongoing, Bitcoin Depot admits its understanding of the breach may evolve as new facts emerge.

This attack comes amid a surge of crypto thefts: just last week, DeFi platform Drift lost $280 million in a hack attributed to North Korean actors. Blockchain analytics firm Chainalysis reports that crypto thefts hit $3.4 billion in 2025, with 2026 already seeing multimillion-dollar heists. The persistent threat landscape raises urgent questions about the security of digital finance and the resilience of the systems underpinning it.

As Bitcoin Depot races to patch vulnerabilities and reassure stakeholders, the case serves as a stark reminder: in the world of digital currency, even the most established players remain tantalizing targets for cybercriminals. The true cost of this breach - and its ripple effects on trust in crypto infrastructure - may only become clear in the months ahead.

WIKICROOK

• Digital Asset Settlement Account: A digital asset settlement account manages, holds, and transfers cryptocurrencies for business operations, ensuring secure and compliant digital transactions.
• Cryptocurrency ATM: A cryptocurrency ATM is a kiosk where users can buy or sell digital currencies using cash or cards, linking directly to their crypto wallets.
• Threat Actor: A threat actor is any person, group, or entity responsible for launching or coordinating a cyberattack or other malicious activity in cyberspace.
• Wallet: A wallet is a secure digital tool for storing, managing, and transacting cryptocurrencies, using cryptographic keys to protect digital assets from unauthorized access.
• Exfiltration: Exfiltration is the unauthorized transfer of sensitive data from a victim’s network to an external system controlled by attackers.