Cyber Incident Victim: Bitcoin Depot

On March 23, 2026, Bitcoin Depot detected an intrusion into its IT systems, as disclosed in an SEC filing. The attacker obtained credentials for digital asset settlement accounts, which enabled the theft of approximately 50.903 bitcoin from the company’s wallets. The stolen bitcoin was valued at roughly $3.6 million at the time of the incident. Bitcoin Depot stated that the incident was contained to its corporate environment and did not affect customer platforms, divisions, systems, data, or environments. The company launched an investigation into the full extent of the incident, which remains ongoing.

Bitcoin Depot recorded a preliminary estimate of loss of approximately $3.665 million, representing the fair value of the unauthorized bitcoin transfer as of the incident date, noting that the ultimate impact may differ as the investigation continues. The company indicated that the attack has not had a material impact on its operations but may lead to reputational, legal, incident response, and regulatory costs. In July 2025, Bitcoin Depot had previously notified more than 26,000 individuals of a data breach that occurred a year earlier, during which hackers accessed files containing names, phone numbers, email addresses, dates of birth, physical addresses, and driver’s license numbers; the disclosure was delayed by a year due to a law enforcement investigation.

The announcement of the March 2026 bitcoin theft came just days after threat actors believed to be operating out of North Korea were reported to have stolen $285 million from the DeFi platform Drift in a carefully planned attack. Bitcoin Depot’s SEC filing and public statements constitute the company’s response to the incident, including the containment assertion, the ongoing investigation, and the preliminary loss estimation.