1. Home
  2. Prague

Prague

Bitcoin ATM maker to refund customers impacted by zero-day hack

General Bytes has implemented several measures in the wake of the hack, including offering to reimburse its cloud-hosted customers and adding new security measures.

Bitcoin ATM manufacturer General Bytes says it is reimbursing its cloud-hosted customers that lost funds in a "security incident" in March that saw its customers' hot wallets accessed.

As previously reported by Cointelegraph, the ATM manufacturer issued a statement about a security incident on March 17 and March 18, which involved a hacker remotely uploading a Java application into its terminals and gaining access to sensitive information, such as passwords, private keys and funds from hot wallets.

In a recent statement to Cointelegraph, the ATM manufacturer said have since been moving swiftly to "address the situation" and has made the decision to refund its "cloud-hosted customers who have lost funds."

"We have taken immediate steps to prevent further unauthorized access to our systems and are working tirelessly to protect our customers," General Bytes said in a statement.

It was understood that the hack led to at least 56 BTC, worth over $1.5 million at current prices, and 21.82 ETH, $37,000 at current prices, being deposited into wallets connected to the hacker.

According to General Bytes, it has thoroughly assessed the damages from the hack and has been "working tirelessly" to improve security measures and prevent similar incidents from happening again.

General Bytes told affected customers to implement new security measures after the hack.  Source: General Bytes

Along with the reimbursement for affected customers, the ATM manufacturer has also said they are encouraging all customers to migrate to a self-hosted server installation, where they can effectively secure their server platform using VPN.

"We are investing heavily in additional human resources to assist our clients in migrating their existing infrastructure to a self-hosted server installation."

According to General Bytes, the hack did not affect most ATM operators using self-hosted server installations" as these customers employ VPN technology to protect their infrastructure."

Related: More than 280 blockchains at risk of ‘zero-day’ exploits, warns security firm

The ATM manufacturer first warned customers about the hacker in a March 18 patch release bulletin. As a result of the security breach, General Btyes shuttered its cloud services.

"General Bytes takes the security of our customers' funds and data very seriously. We apologize for any inconvenience caused and remain committed to serving our customers with integrity and professionalism.”

The company is based in Prague and according to its website has sold over 15,000 Bitcoin (BTC) ATMs to purchasers in over 149 countries all over the world.

Counterpunch: Russia Reveals Plan to Utilize Frozen Western Assets

The team behind the world’s first hardware wallet says it’s still thriving after 8 years

As long as there's a recovery seed written down, a PIN and passphrase installed, it's theoretically impossible to hack the Trezor One, which debuted in 2014.

Like all things, Trezor, a household name in the crypto community with over 1 million units sold, came from humble beginnings. The idea all started out in 2011 after a Bitcoin (BTC) conference in Prague, Czechia — which, by the way, was just voted the most beautiful city in the world in a Time Out magazine survey. Two crypto enthusiasts, Pavol "Stick" Rusnák and Marek "Slush" Palatinus, envisioned a small, single-purpose computer that would securely store users' Bitcoin private keys.

In 2013, the two founded SatoshiLabs. The following year, the first-ever Trezor wallet — Trezor One — launched. Then came the Trezor Model T, which added a touchscreen to the device. Both are still found on the market worldwide, with their firmware patched each month or so. With the invention of seed recovery and passphrase protection, Trezor set the norm for the industry in terms of hardware wallet security.

During an exclusive interview with Cointelegraph, Kristýna Mazánková, head of PR at SatoshiLabs, and Josef Tětek, Trezor's brand ambassador, discusses how Trezor still remains true to its goal of privacy and security after all these years. When asked about the vulnerability of their customers' data, they said:

"We don't have any data on our customers [in our servers] because every 90 days, we wipe whatever is stored. So that's something that is super important to us because we understand that everything is theoretically hackable."

They noted that, "When it comes to security, the key feature is it's a standalone physical device. It's not possible to hack it remotely."

"If somebody were to get your hardware wallet, there is an additional layers of protection, such as the PIN code, which locks the device. Even if they were to get around that, there's always the recovery seed."

Tětek then explained that it's still not the end of the world if hackers manage to find one's recovery seed, as the inclusion of a passphrase makes the recovery seed useless by itself. "If you have your Trezor setup, with a recovery seed written down and protected with both PIN and passcode, there's no way to hack the device at all," says Tětek. However, he warned:

"Without the passphrase production, there is the possibility to read the seed from the device if you have very specialized equipment."

When asked about just how on Earth a hacker managed to hack a Trezor wallet and recovered $2 million in 'lost' crypto in January, Mazánková and Tětek told Cointelegraph:

"It was like a double coincidence that the owner didn't update their firmware for five years and didn't have a password set up. So I think the engineer conducted about 1,000 tries to make sure he didn't fry the chip before extracting it because if he had one mistake on the chip, he would fry the chip, and the wallet would become non-recoverable."

Privacy and security aside, since the release of Model One and Model T, there have been additional features, such as doing everything on display, desktop, or web applications when connected. In addition, one can buy and sell Bitcoin and other cryptocurrencies directly to an address via Trezor Suite.

This year Trezor is also focusing on integrating CoinJoin into its hardware wallet. Made possible by Bitcoin's Taproot upgrade last November, CoinJoin collates multiple Bitcoin transactions into a single arrangement to obfuscate who owns which coin afterward, thereby significiantly improving user privacy. Another major update on the table is being able to run one's own node directly from the Trezor Suite.

Counterpunch: Russia Reveals Plan to Utilize Frozen Western Assets