Bitcoin Depot discloses a critical security vulnerability; hackers stole $3.6 million in BTC

Bitcoin ATM operator Bitcoin Depot filed documents with the U.S. Securities and Exchange Commission (SEC) on April 9, disclosing that the company suffered a major security breach on March 23. The hackers gained access by compromising the company’s IT systems and stealing login credentials for its digital-asset settlement account. Without authorization, they transferred approximately 50.9 bitcoins, resulting in an estimated loss of about $3.67M based on the market value at the time of the theft.

Attack Path Breakdown: How Stolen IT Login Credentials Led to BTC Loss

(Source: SEC)

According to Bitcoin Depot’s SEC disclosure documents, this attack involved a full infiltration and transfer chain:

Attack Path and Loss Summary

Compromise of the IT system: The attackers successfully infiltrated the company’s internal IT system and obtained login credentials for the digital-asset settlement account

Unauthorized funds transfer: Using the stolen credentials, they completed an illegal transfer of crypto assets without anyone’s knowledge

Scale of loss: 50.9 bitcoins, with the loss estimated at about $3.67M based on the market value at the time of the theft

Customer-side impact: The customer-facing ATM platform and users’ personal data were not affected

Incident timing: The vulnerability occurred on March 23, 2026

As of the time the report was published, Bitcoin Depot had not issued any public statement about the matter other than the SEC filing, nor had it responded to media requests for comment.

Company Response and Potential Follow-On Costs

After discovering the intrusion, Bitcoin Depot activated its incident response process, hired external cybersecurity experts to investigate the attack path and secure remaining assets, and also reported the matter to law enforcement, but it did not specifically disclose which organizations were involved in the investigation.

The company initially estimated its loss at $3.67M, but the SEC filing did not disclose whether the company held insurance for digital-asset theft, nor did it explain the potential impact of this loss on Bitcoin liquidity operations across the entire ATM machine network. Bitcoin Depot stated clearly that the risks arising from this incident include reputational damage, legal costs, regulatory intervention, and emergency response expenses, which could create a long-term financial burden for the company’s operations.

On the market reaction front, BTM shares surged by as much as 15% during that day’s trading, closing at $2.74, but fell back after the SEC filing was released. Notably, the stock has already declined by 44% over the past 30 days.

Second Security Incident: Systemic Security Challenges Facing ATM Operators

This is at least the second known major security incident involving Bitcoin Depot—back in 2023, the company suffered another hacker attack that led to the exposure of personal data for about 58k users. The consecutive occurrence of these two incidents highlights the systemic pressure that Bitcoin ATM operators face in terms of security defenses.

Because ATM operators must maintain large reserves of cryptocurrency to support customer transactions, they have become a highly targeted mark for cybercriminals. While these companies connect physical cash with cryptocurrency infrastructure, they also have to manage complex digital custody systems, creating a unique cross-attack surface between physical security and network security.

This incident also comes as Bitcoin Depot faces increasingly stringent regulatory scrutiny—earlier this year, in February, under pressure from regulatory authorities, the company tightened identity-verification requirements for all ATM transactions to strengthen anti-fraud and anti–money laundering compliance.

Frequently Asked Questions

How much loss did Bitcoin Depot suffer from the hack?

According to documents Bitcoin Depot filed with the SEC, the hackers stole approximately 50.9 bitcoins, resulting in an estimated loss of about $58k based on the market value at the time of the theft. The company has not disclosed whether it held insurance for digital-asset theft, nor has it explained the potential impact of the loss on ATM liquidity operations.

Was the customers’ personal data affected by this hack?

In the SEC filing, Bitcoin Depot explicitly stated that the company’s customer-facing ATM platform and users’ personal data were not affected by this intrusion. This incident primarily impacted the company’s internal digital-asset settlement account, with customer-side systems kept isolated.

What number security incident is this for Bitcoin Depot?

This is at least Bitcoin Depot’s second known major security incident. In 2023, the company suffered another hacker attack that exposed personal data for about 58k users, forming a concerning recurring pattern of security incidents.