America's largest bitcoin ATM operator revealed that attackers stole 50.9 BTC from its corporate settlement wallets in late March after compromising internal credentials, prompting an FBI investigation and a material event filing with the SEC.
Bitcoin Depot, the largest bitcoin ATM operator in the United States, disclosed on Wednesday that hackers stole approximately 50.9 bitcoin — worth $3.6 million at the time — from company-controlled settlement wallets after gaining access to corporate systems through compromised credentials.
The breach occurred on 23 March but wasn't detected for three days; the company's internal team only flagged the unauthorised transfers on 26 March. Bitcoin Depot activated its incident response protocols, brought in external cybersecurity specialists, and notified local law enforcement. On 9 April, the company filed a report with the FBI in the hope that federal agents can trace the stolen funds on-chain.
The attack vector was unremarkable but effective. The hackers obtained credentials linked to Bitcoin Depot's digital asset settlement accounts — the corporate wallets used to process and settle transactions from its network of ATMs — and executed a series of transfers before anyone noticed. No exploit of smart contract code, no sophisticated zero-day vulnerability; just stolen passwords and a window of opportunity.
Bitcoin Depot determined on 6 April that the incident was material, triggering a mandatory 8-K filing with the Securities and Exchange Commission. The company booked an expense equal to the stolen bitcoin's fair market value. It carries cyber insurance and expects to recover some of the loss, though the extent of that recovery remains unclear.
Customer-facing systems appear to have escaped the breach. ATMs continued operating throughout the incident, and the company said it found "no evidence so far that attackers accessed or stole customer personal data" — though management acknowledged that its assessment could change as the forensic investigation progresses. The qualification matters; credential-based intrusions frequently turn out to be broader than initial scans suggest, and the three-day detection gap leaves room for lateral movement that hasn't yet been identified.
The incident sits within a grim pattern. Corporate crypto custodians have faced a steady drumbeat of attacks in 2026, from the $270 million Drift Protocol exploit — carried out by North Korean state-affiliated hackers via a six-month social engineering campaign — to smaller but persistent breaches targeting exchanges, ATM networks, and infrastructure providers. The common thread across most of these incidents isn't exotic cryptographic weakness; it's operational security failures, compromised credentials, and insufficient monitoring.
Bitcoin Depot operates more than 8,000 ATMs across the US. Its machines serve a customer base that skews toward users who prefer cash-to-crypto conversion — a demographic that often overlaps with the unbanked and underbanked. The company went public via a SPAC merger in 2023 and trades on Nasdaq under the ticker BTM. Its market capitalisation, already depressed by a broader crypto market drawdown, will face additional pressure from the disclosure.
The $3.6 million loss is small relative to the headline figures that dominate crypto security coverage, but the mechanism — credential theft from a publicly traded, SEC-reporting company — is the kind of incident that draws regulatory attention. FinCEN's proposed AML rules for stablecoin issuers and the SEC's broader push for cybersecurity disclosure requirements mean that corporate crypto companies face mounting expectations around how they secure, monitor, and report on digital asset custody.
Bitcoin Depot's forensic investigation is ongoing. The FBI's involvement suggests that chain analysis firms are likely already tracing the stolen funds, but recovery in credential-based theft cases — where attackers typically move assets through mixers or cross-chain bridges within hours — remains the exception rather than the rule.
