New Malware Targeting Bitcoin ATMs Pops Up

The fintech industry has seen several changes in terms of technology, including new ATM capabilities and the increasing use of cryptocurrencies. These two intersect in what’s known as a Bitcoin (BTC) ATM.

Although it looks similar to a regular ATM, a Bitcoin ATM differs in certain important aspects. Perhaps the most notable difference is that a Bitcoin ATM does not connect to a bank account. Instead it connects to a cryptocurrency exchange. The purchased bitcoins go to the customer’s digital wallet. In essence, a Bitcoin ATM is not really an ATM in the traditional sense but rather is rather more like a kiosk that allows users to connect to exchanges.

How safe are these Bitcoin ATMs?

Regular ATMs are popular targets for cyber-criminals, and we have recenty noted a shift away from physical tools such as skimmers to malware-based attacks. Bitcoin ATM malware has so far been significantly less talked about, perhaps because of the relatively low number of machines currently available globally.

With the increasing popularity as well as real-world use of cryptocurrencies and the fact that cyber crooks will always try to exploit something that can make money for them, mining malware has been prevalent in the past year. It shouldn’t come as a surprise then that malware targeting Bitcoin ATMs will pop up in underground markets.

Unlike regular ATMs, there is no single set of verification or security standards for Bitcoin ATMs. For example, instead of requiring an ATM, credit, or debit card for transactions, a Bitcoin ATM involves the use of mobile numbers and ID cards for the user identity verification. The user then has to input a wallet address or scan its QR code.

These wallets used to store virtual currencies are not standardized either and are often downloaded from app stores, posing another security problem. Given the seemingly Wild West nature of Bitcoin ATM security, cybercriminals are sure to take advantage.

While searching through underground forums, we noticed an apparently established and respected user offering Bitcoin ATM malware (see Figure 1).


Figure 1. A Listing for a Bitcoin ATM malware

The actual listing for said malware contains more details. Buyers receive not just the malware but also a ready-to-use card that comes with EMV and NFC capabilities. According to the listing, the malware exploits a service vulnerability that allows the user to receive bitcoins worth up to $6,550. The malware doesn’t come cheap, as it is being sold for $25,000. The number of reviews (over 110) show that the seller has earned quite a large amount from various offerings, including this malware.


Figure 2. Detailed listing for BTC ATM malware

Another thread reveals that the seller is also offering regular ATM malware that has been updated for EMV standards. The posts in the thread further expound on how this malware works, including the use of a menu vulnerability to disconnect the machine from the network to disable alarms.


Figure 3. Listing for the EMV-updated ATM malware

In Figure 4, we can see that the seller offers a range of financial-related malware as well as compromised accounts, which indicates that this individual is an experienced cyber-criminal who seems to be constantly expanding his/her offerings.


Figure 4. Financial-related malware and compromised accounts. 

 What we can ascertain from this is that cyber crooks interested in amassing bitcoins and other cryptocurrencies are no longer limiting themselves to cryptomining malware. As long as there is money to be made — and there is quite a bit of money in cryptocurrencies — cyber crooks will continue to devise tools and to expand to lucrative new “markets.” As the number of Bitcoin ATMs grows, we can expect to see more forms of  malware targeting cryptocurrency ATMs far in the foreseeable future.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.