Bitcoin Depot disclosed that attackers breached its corporate systems and stole roughly $3.66 million in Bitcoin after compromising credentials tied to its digital asset settlement accounts.
The incident was detailed in a Form 8-K filing submitted to the US Securities and Exchange Commission (SEC), in which the company stated it first detected unauthorized access on March 23, 2026. According to the filing, the threat actor infiltrated parts of the company’s internal IT environment and gained control over credentials associated with wallets used for settling digital asset transactions.
Using this access, the attacker transferred approximately 50.903 Bitcoin from company-controlled wallets. Based on Bitcoin’s valuation at the time of disclosure, the stolen assets are estimated to be worth about $3.665 million. The company has not disclosed how the credentials were compromised, noting that the investigation remains ongoing.
Bitcoin Depot said it immediately activated its incident response plan upon detecting the breach, bringing in third-party cybersecurity specialists and notifying law enforcement authorities. The company is continuing forensic analysis to determine the full scope and root cause of the intrusion, and stated it will update its disclosure if new material information becomes available.
Bitcoin Depot operates one of the largest networks of cryptocurrency ATMs in North America, allowing users to buy and sell Bitcoin and other digital assets through physical kiosks.
Despite the financial loss, Bitcoin Depot emphasized that the breach was limited to its corporate environment and did not impact customer-facing systems. The company stated it has found no evidence that customer data, including personally identifiable information (PII), was accessed or exfiltrated during the incident. Its crypto ATM network and customer transaction platforms remain operational.
The company further noted that the incident has not had a material impact on its day-to-day operations, though it classified the breach as “material” due to potential secondary effects such as reputational damage, regulatory scrutiny, and incident response costs.
Bitcoin Depot also indicated that it maintains cybersecurity insurance that may help offset some losses, but cautioned that coverage may not fully compensate for the stolen assets or associated costs.
As part of remediation efforts, the company is strengthening its internal security controls to prevent future unauthorized access.
Leave a Reply