Cyber Incident Victim: General Bytes
Date:
Aug 2022
Location:
Czechia
Summary
A security breach targeting a cryptocurrency ATM provider involved attackers exploiting a vulnerability in the server's administrative interface to remotely create an admin user, enabling unauthorized access to modify crypto settings on two-way machines. The attackers redirected invalid customer payments to their own wallets by scanning exposed servers on specific ports, resulting in approximately $16,000 in losses. The vulnerability had existed in certain software versions and was addressed via patches, with the breach limited to application-level access without compromising underlying systems, passwords, or sensitive keys. Affected operators were notified promptly, and the incident was reported to law enforcement.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On August 18, 2022, General Bytes disclosed a critical security breach affecting its Crypto Application Server (CAS) software used to manage Bitcoin ATMs globally. Attackers exploited an unpatched vulnerability in the CAS administrative interface, present since version 20201208, which allowed remote creation of an admin user through a URL call on the default installation page. The attackers scanned Digital Ocean cloud IP addresses to identify CAS instances running on ports 7777 or 443, targeting both General Bytes’ cloud-hosted services and independent operators using the recommended hosting provider. After gaining access, the attackers created a new default admin account, renamed the original admin user to "gb," established unauthorized organizations and terminals, and modified crypto settings on two-way ATMs. They inserted their wallet addresses into the "Invalid Payment Address" field, redirecting customer funds during failed transactions to their wallets. General Bytes confirmed the attackers did not compromise host operating systems, file systems, databases, or access credentials like passwords or API keys. The breach began three days after the company publicly announced a "Help Ukraine" feature, though no direct correlation was confirmed.
General Bytes responded by deactivating all two-way ATMs on its cloud service and issuing emergency patches (versions 20220531.38 and 20220725.22). Operators were instructed to upgrade servers, restrict CAS admin interface access to trusted IPs via firewall rules, review and delete unauthorized users/terminals (notably any named BT123456), reset passwords, and audit crypto settings to remove attacker-controlled wallets. The company emphasized verifying terminal pairings and reactivating only trusted machines after these steps. By August 22, 2022, General Bytes reported the incident to Czech police, citing $16,000 in confirmed losses from operator reports. A September 2 update revealed at least one operator suffered additional losses due to failing to delete an attacker-created terminal post-patch. The breach impacted an unspecified number of the company’s 8,800 global ATMs across 120 countries, though the full scope remained undetermined. All affected operators were notified within hours of detection, and General Bytes requested incident details via a dedicated form to support its investigation.