Bitcoin Depot hack — $3.7M lost
Bitcoin Depot disclosed a cyber attack that resulted in the theft of about $3.7 million in cryptocurrency, underscoring continuing operational risk for exchange‑adjacent and payments infrastructure. The company framed the loss as a targeted security incident rather than a systemic market event, but it serves as another reminder that custodial and kiosk networks remain attractive targets. Repeated, mid‑sized breaches keep insurance, audit and hot‑wallet risk central to counterparty due diligence (investing.com).
Hackers did not hit a crypto exchange this time. They got into Bitcoin Depot’s internal systems on March 23 and moved 50.903 bitcoin out of company settlement accounts, a theft the company valued at about $3.7 million. (sec.gov) (theblock.co) Bitcoin Depot says the breach touched company-controlled wallets, not customer accounts, customer apps, or the cash-to-crypto machines people use in stores. That makes this less like a bank run and more like someone getting the master key to the back office. (banklesstimes.com) (securityweek.com) The stolen accounts were “digital asset settlement accounts.” Those are the working wallets a kiosk operator uses to keep coins moving, the same way a grocery store keeps cash in the till instead of in a vault across town. (thecyberexpress.com) (cryptorank.io) Bitcoin Depot is not a tiny operator. In its March 2026 earnings release, the company said users can buy bitcoin at its kiosks in 47 states and at thousands of retail locations in 31 states through its BDCheckout product. (sec.gov) That scale explains why attackers go after the plumbing instead of the storefront. A company with thousands of locations needs wallets, credentials, and settlement systems constantly moving funds behind the scenes, and each connection is another door that has to stay locked. (sec.gov) (cryptorank.io) Bitcoin Depot said it activated incident response procedures after detecting the intrusion. It also said it brought in outside forensic investigators and reported the event to law enforcement. (thecyberexpress.com) (bitcoinfoundation.org) The awkward part of a theft like this is that bitcoin transfers do not have a chargeback button. If an attacker gets valid credentials and sends coins out, recovery depends on tracing and freezing funds later, not on reversing the original transfer. (securityweek.com) (thecyberexpress.com) This also lands at a bad time for the business. Bitcoin Depot’s latest earnings release said 2025 net income fell to $4.7 million from $7.8 million in 2024, which means a $3.7 million theft is large relative to one full year of profit. (theblock.co) (sec.gov) The company also told investors it expects core-business revenue to decline by 30% to 40% in 2026 because of tighter state rules and compliance costs. A hit to earnings is one problem, but a hit to controls when regulators are already watching the sector is a second one. (theblock.co) (sec.gov) Bitcoin Depot had already been dealing with another security issue. In 2025, reports said it notified more than 26,000 users about a 2024 data breach involving driver’s license information after a delayed public notice. (cybernews.com) (dailysecurityreview.com) So the lesson here is not that bitcoin itself broke. The weak point was the same one that shows up across finance again and again: passwords, internal access, and the ordinary business systems sitting between customers, cash, and the wallets that settle everything. (sec.gov) (securityweek.com)
