Kraken Security Labs says a "large number" of Bitcoin ATMs are vulnerable to hacking because administrators never change the administrator's default QR code.
Kraken Security Labs says a "large number" of Bitcoin ATMs are vulnerable to hacking because administrators never change the administrator's default QR code. In a September 29 blog post, Kraken published a study by its Security Lab team that found there were "several hardware and software vulnerabilities" in the General Bytes BATMTwo ATM area. "Many attack vectors were detected via standard administrative QR codes, Android operating software, ATM management systems, and even machine hardware," the publication said.
Kraken's security team said a hacker accessing the management code could essentially "go to the ATM and compromise it" while highlighting issues with the lack of security mechanisms for billing BATMtwo as well as "critical vulnerabilities" in the ATM management system. However, General Bytes has reportedly warned ATM owners about the vulnerability: "Kraken Security Labs reported the vulnerability to General Bytes on April 20, 2021. They released a fix for their backend system (CAS) and notified their customers, but full fixes for some issues may still require hardware revisions."
The team also found that they were able to gain full access to the Android operating system behind the BATMTwo ATM by simply plugging a USB keyboard into the device and warning that “everyone” was installing apps, copying files, or any other malicious activity that could be done.” General Bytes is headquartered in the Czech Republic and currently has 6,391 General Bytes ATMs worldwide, according to Coin ATM Radar, which makes up 22.7% of the world market. However, the figure also takes into account the BATThree engine which Kraken has not yet reported on. Most of the BATM ATMs are located in the US and Canada with a total of about 5,300, while in Europe there are about 824 ATMs installed. Kraken urges BATMTwo owners and operators to change the default administrator code, update CAS servers and make ATMs visible to security cameras.
Bitcoin ATM Scam
While reports of hacked Bitcoin ATMs seem minimal, there are stories of smart people building scams around crypto ATMs. In March 2019, Toronto Police issued a public statement calling on the public to find four men suspected of having carried out a series of "double-expenditure" operations that cost $150,000 for a 10-day window that was brought in. The double cost is to cancel the transaction before the ATM can confirm the money but still make the distribution. Oakland Press reported in June. 22 Berkeley women were swindled for a total of $15,000 this year after scammers introduced themselves as public security officers and federal officials. Fraudsters reportedly told victims they had unfulfilled orders and tax violations, and asked them to pay the fine via local bitcoin ATMs in the area. Malwarebytes published a study in August that uncovered a trend of fraud at Bitcoin ATM gas stations, with participants in the threat posting fake job advertisements to defraud candidates for money laundering.
El Salvador is now home to the third largest crypto ATM network after the US and Canada, accounting for 70% of all crypto ATMs in South America. According to data from Coin ATM Radar, El Salvador has surpassed the number of crypto ATMs in the UK and has deployed 205 crypto ATMs to date to facilitate local bitcoin transactions and bitcoin (BTC) conversion to US dollars. When compared with the Statistic data on August 16, it is clear that El Salvador installed 201 ATMs in just one month. Previously, the country was 43rd on the list with only four working crypto ATMs.
President Nayib Bukele previously said that the introduction of Bitcoin would initially be supported by a network of 200 ATMs and 50 branches. The government of El Salvador has teamed up with an internal cryptocurrency wallet provider called Chivo to run BTC wallet and ATM usage in the country. Crypto ATM installations are at record levels worldwide, with 27,664 active machines and 2,790 new machines added in September. The increase in ATM installations in El Salvador is in line with a recent presidential order that all businesses must accept bitcoin payments. However, merchants still have the option to convert Bitcoin payments to US dollars before withdrawing their earnings. While other jurisdictions have yet to decide whether to use Bitcoin as a fixed asset, an average of 63.7 ATMs are still installed worldwide each day. Genesis Coin remains the leading crypto ATM producer with a market share of 40.7%, while General Bytes and BitAccess represent 22.7% and 12.7% of the market, respectively.
The introduction of Bitcoin in El Salvador faced some resistance from locals, which recently resulted in the burning of the Chivo-backed Bitcoin machine. Protesters against the introduction of Bitcoin highlight concerns about uncertainty, price volatility and lack of presence in the crypto market. The Chivo Pavilion is the government's first attempt to create the infrastructure to convert BTC to US dollars. El Salvador currently uses Bitcoin and US dollars as legal tender. Bitcoin critics and protesters against El Salvador President Naib Bukele's policies have destroyed the crypto pavilion in the nation's capital.
The Teleprensa newspaper and others posted videos on social media showing a Chivo-operated pavilion in San Salvador burning through a crowd of journalists and protesters on Wednesday. The Bitcoin (BTC) machine, one of many hosted by the government of El Salvador since the country's cryptocurrency was introduced as legal tender, has a logo against BTC and a sign that says "Democracy is not for sale." San Salvador Mayor Mario Duran said city workers had been withdrawn from the area after receiving threats but planned to return that afternoon. At the time of publication, the damage appeared to be limited to a Chivo machine in the Plaza Gerardo Barrios in the center of the capital, but protesters are also believed to have burned furniture from one of the shops in the square.
The Chivo Pavilion – like Bitcoin ATMs – is one of about 200 in El Salvador, part of the government's move to accept BTC as legal tender along with US dollars. President Bukele said he hoped crypto ATMs would at some point be "ubiquitous" in the country, but said no one would be forced to use Bitcoin. Even before the Bitcoin law came into effect on September 7, El Salvador faced resistance to the law it deemed radical. Protesters calling themselves the resistance bloc and popular uprising marched through the streets of the capital in July, while a group of retirees, veterans, retirees with disabilities and other workers held their own demonstration the following month. On the same day that the country's Bitcoin law came into effect, the price of the crypto asset fell below $43,000, leading Bukele to say he was "buying immersion" by spending the additional 150 BTC purchased. At the time of publication, the price of BTC is $47,978 and has increased by more than 3% in the last 24 hours.