Bitcoin Depot, which operates one of the largest Bitcoin ATM networks, says attackers stole $3.665 million worth of Bitcoin from its crypto wallets after breaching its systems last month.
The company manages more than 25,000 Bitcoin ATMs and BDCheckout locations worldwide and reported revenue of $615 million in 2025.
As revealed in a filing with the U.S. Securities and Exchange Commission, the company discovered the attack on March 23 after detecting suspicious activity on some of its IT systems.
While it took immediate measures to contain the breach, the attackers had time to steal credentials to digital asset settlement accounts and transfer over 50 Bitcoin from Bitcoin Depot’s wallets before their access was blocked.
“On March 23, 2026, Bitcoin Depot Inc. (the “Company”) discovered that an unauthorized party gained access to certain of its information technology systems. Upon detection, the Company promptly activated its incident response protocols, engaged external cybersecurity experts, and notified law enforcement,” Bitcoin Depot said.
“As a result, the unauthorized actor transferred approximately 50.903 Bitcoin from Company-controlled wallets, valued at approximately $3.665 million as of the date of this report, without authorization. The Company further believes that the incident was contained to the Company’s corporate environment and did not affect the Company’s customer platforms, divisions, systems, data or environments.”
The company has also notified law enforcement of the breach and has hired external cybersecurity experts to help investigate the incident.
While it has insurance coverage for cyber-attacks, Bitcoin Depot says that this might not cover all losses directly resulting from the attack.
“On April 6, 2026, the Company nevertheless determined that the incident is material in light of potential consequences of the incident, including reputations harm, legal, regulatory and response costs,” it added.
“The Company maintains insurance coverage that may cover certain losses associated with cybersecurity incidents, but there can be no assurance that such coverage will be sufficient to recover any or all losses incurred as a result of this incident.”
Last year, Bitcoin Depot also notified nearly 26,000 people of a 2024 data breach, stemming from an attack in which threat actors breached its systems to steal the affected individuals’ personal information (i.e., full names, addresses, dates of birth, driver’s license numbers, email addresses, and phone numbers).
In December 2024, U.S. Bitcoin ATM operator Byte Federal disclosed a similar incident that resulted in a data breach affecting 58,000 customers.
Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.
This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.
