Bitcoin ATM maker shuts cloud service after user hot wallets compromised

March 20, 2023 Coin Telegraph

API keys

Bitcoin ATM manufacturer General Bytes said a hacker was able to install and run a Java application in its terminals that could access user information and send funds from hot wallets.

Bitcoin ATM manufacturer General Bytes has shuttered its cloud services after discovering a “security vulnerability” that allowed an attacker to access users' hot wallets and gain sensitive information, such as passwords and private keys.

The company is a Bitcoin (BTC) ATM manufacturer based in Prague, and according to its website, has sold over 15,000 ATMs to over 149 countries all over the world.

In a March 18 patch release bulletin, the ATM manufacturer issued a warning explaining that a hacker has been able to remotely upload and run a Java application via the master service interface into its terminals aimed at stealing user information and sending funds from hot wallets.

On March 17-18th, 2023, GENERAL BYTES experienced a security incident.

We released a statement urging customers to take immediate action to protect their personal information.

We urge all our customers to take immediate action to protect their funds and https://t.co/fajc61lcwR… https://t.co/g5FGqvqZQ7
— GENERAL BYTES (@generalbytes) March 18, 2023

General Byes founder Karel Kyovsky in the bulletin explained this allowed the hacker to achieve the following:

"Ability to access the database.
Ability to read and decrypt API keys used to access funds in hot wallets and exchanges.
Send funds from hot wallets.
Download user names, their password hashes and turn off 2FA.
Ability to access terminal event logs and scan for any instance where customers scanned private key at the ATM. Older versions of ATM software were logging this information."

The notice reveals that both General Bytes' cloud service was breached as well as other operators' standalone severs.

“We’ve concluded multiple security audits since 2021, and none of them identified this vulnerability,” Kyovsky said.

Hot wallets compromised

Though the company noted that the hacker was able to “Send funds from hot wallets,” it did not disclose how much was stolen as a result of the breach.

However, General Bytes released the details of 41 wallet addresses that were used in the attack. On-chain data shows multiple transactions into one of the wallets, resulting in a total balance of 56 BTC, worth over $1.54 million at current prices.

*General Bytes released the details of 41 wallet addresses used in the attack. Source: General Bytes*

Another wallet shows multiple Ether (ETH) transactions, with the total received amounting to 21.82 ETH, worth roughly $36,000 at current prices.

Cointelegraph reached out to General Bytes for confirmation but did not receive a reply before publication.

The company has urgently advised BTC ATM operators to install their own standalone server and released two patches for their Crypto Application Server (CAS), which manages the ATM's operation.

*General Bytes is a Bitcoin ATM manufacturer based in Prague that has sold over 15,000 ATMs worldwide. Source: General Bytes*

"Please keep your CAS behind a firewall and VPN. Terminals should also connect to CAS via VPN," Kyovsky wrote.

"Additionally consider all your user's passwords, and API keys to exchanges and hot wallets to be compromised. Please invalidate them and generate new keys & password."

General Bytes previously had its servers compromised via a zero-day attack in September last year that enabled hackers to make themselves the default administrators and modify settings so that all funds would be transferred.

Algodex reveals wallet infiltrated by ‘malicious’ actor as MyAlgo renews warning: Withdraw now

March 7, 2023 Coin Telegraph

Algodex

Crypto exchange Algodex and wallet provider MyAlgo have suffered security breaches in the last few weeks.

Algorand-based wallet provider MyAlgo has again urged users to withdraw their funds after a February security breach which doesn’t appear to have been resolved.

Update: Funds are still being actively drained from MyAlgo users. https://t.co/fzkS9PFkAm pic.twitter.com/cgrWigu2Wn
— ZachXBT (@zachxbt) March 6, 2023

Meanwhile, decentralized exchange Algodex has revealed a malicious actor infiltrated a company wallet on Mar. 5 in what “appears to be similar to what is currently happening in the Algorand ecosystem,” it said in a Twitter post.

In a Mar. 6 post, Algodex explained that during the early hours of the previous morning, a company wallet was infiltrated by a malicious actor.

According to Algodex, precautions were taken before the attack, including moving the bulk of their USDC and treasury tokens ALGX tokens to secure locations.

#PeckShieldAlert @AlgodexOfficial reported that a malicious actor infiltrated 1 of their corporate wallets (w/s ~55k)
The exploit seems to share similarities with the ongoing incidents in the #Algorand ecosystem@myalgo_ alerted users to withdraw funds/rekey funds to new account https://t.co/G7nhlzMebF
— PeckShieldAlert (@PeckShieldAlert) March 7, 2023

However, the infiltrated wallet was tied to Algodex's liquidity rewards program and was responsible for providing extra liquidity to the ALGX token.

"This resulted in the malicious actor being able to remove the Algo and ALGX in the Tinyman pool created by us to provide additional liquidity to the ALGX token," Algodex said.

The exchange noted that $25,000 in ALGX tokens meant to provide liquidity rewards were taken but said it would replace this in full.

It added that the total loss from the theft was less than $55,000, but Algodex users and the liquidity of ALGX were not affected.

Meanwhile, the wallet provider for the Algorand network, MyAlgo, has renewed warnings for users to withdraw their assets or rekey their funds to new accounts as soon as possible.

All users of MyAlgo must withdraw their funds or rekey their funds to new accounts asap! ⚠️ Do not wait!!

Create new account:https://t.co/FhRCndPvfS https://t.co/mj57KBg8Ml

Rekey Account Instructions:
Pera: https://t.co/PZog8fw0tO
Defly: https://t.co/PZog8fw0tO
— MyAlgo (@myalgo_) March 6, 2023

Multiple warnings have been issued on the tail end of a Feb. 19 to Feb. 21 security breach at MyAlgo, which resulted in losses of around $9.2 million.

On Feb. 27, the MyAlgo team tweeted a warning of a targeted attack carried out "against a group of high-profile MyAlgo accounts" conducted over the past week.

The wallet provider further stated the cause for the wallet hack was unknown and encouraged "everyone to take precautionary measures to protect their assets" by transferring funds or rekeying accounts.

Algodex, Lofty and AlgoCasino were all hit March 5th

This seems to be a little more than phishing as per experts in the field

It has been strongly advised by people smarter than me that we A) Rekey accounts B) Send tokens to a brand new non-MyAlgo wallet C) Rekey to cold wallet https://t.co/nS2frvmmyT
— AndrewW.algo (@AndrewWindmills) March 6, 2023

John Wood, chief technology officer at the networks governance body the Algorand Foundation, went on Twitter the same day, saying around 25 accounts were affected by the exploit.

“This is not the result of an underlying issue with the Algorand protocol or SDK,” he said at the time.

British Army’s social media accounts hacked by crypto scammers

July 4, 2022 Coin Telegraph

account compromise

Hackers had access to multiple official social media accounts of the British Army for nearly four hours, when they posted crypto phishing links and scams.

The British Army’s official Twitter, Facebook, and YouTube accounts were breached on July 3 for almost four hours, with scammers promoting rip-off non-fungible token (NFT) collections and cryptocurrency scams.

Just after 2PM ET on July 3, the United Kingdom Ministry of Defence (MOD) Press Office tweeted it was aware the Army’s social media accounts were compromised and had begun an investigation.

Nearly four hours later, close to 5:45PM ET, the Office provided an update that the account breaches were resolved. The British Army's official Twitter account also apologized for the posts, saying it would conduct an investigation and “learn from this incident.”

The breach of the Army’s Twitter and YouTube accounts that occurred earlier today has been resolved and an investigation is underway.

The Army takes information security extremely seriously and until their investigation is complete it would be inappropriate to comment further.
— Ministry of Defence Press Office (@DefenceHQPress) July 3, 2022

Screenshots of the British Army’s official Twitter account posted by users show the hackers promoting at least two fraudulent derivatives of “The Possessed” and “BAPESCLAN” NFT collections.

British Army Twitter account @BritishArmy appears to have been hacked pic.twitter.com/41HPtSeln1
— OSINTtechnical (@Osinttechnical) July 3, 2022

One screenshot shows the hackers pinning a tweet to a fake mint of The Possessed NFT collection, likely a phishing link that would drain user funds if their crypto wallet was connected. Tom Watson, one of the collection's creators, warned that the information was fake and asked his followers to report the account.

The @BritishArmy has been compromised and is currently being used to shill NFTs.

Previous archive of the Twitter profile: https://t.co/dQmlxlY5l8 pic.twitter.com/gifpsOy000
— vx-underground (@vxunderground) July 3, 2022

Over on YouTube, the hackers rebranded the account to resemble the Cathie Wood-founded investment firm Ark Invest, posting live stream videos of supposed interviews with Elon Musk and Twitter founder Jack Dorsey which were being watched by thousands of people.

the British Army's YouTube page, still under the control of some crypto scammers, is running 4 consecutive livestreams with approx 19,000 people watching as we speak. would be interesting if any of them who fall for the scam could have grounds to sue the Army pic.twitter.com/oVWrDsXKZ1
— Señor Rules (@wariotifo) July 3, 2022

On the commandeered YouTube channel, the posted videos presented QR codes for viewers to send crypto to, claiming they would receive double back, and promoted other cryptocurrency giveaway scams through QR codes.

It’s unknown at this time who was behind the attack, how they achieved it, and how many people may have fallen victim to the phishing and scam links. All of the links, tweets, and related material from the account breaches have since been deleted by the British Army.

As reported by Cointelegraph, as much as $1 billion has been lost to crypto scammers in 2021, with nearly 50% of all crypto-related scams coming from social media platforms. The United States Federal Trade Commission even labeled social media and crypto a “combustible combination for fraud.”

In late May, the Twitter account of NFT artist Beeple was compromised and posted links to a phishing website which netted the attacker over $438,000 in crypto and various NFTs. The links were made to look like a “surprise mint” of a new Beeple NFT collection.

Later in June, a similar “stealth mint” phishing link was posted on the compromised Twitter account of the upcoming Duppies NFT collection, with at least one victim losing 650 Solana (SOL), worth around $18,850 at the time.