Key Takeaways:
- Bitcoin Depot lost 50.903 BTC, worth $3.665 million, after a March 23 cyberattack on corporate systems.
- Management deemed the event material on April 6 due to potential regulatory and reputational costs.
- Bitcoin Depot is now working with external experts to harden IT security and seek insurance recovery.
Details of the Security Breach
Bitcoin Depot, one of the world’s largest bitcoin ATM operators, revealed Wednesday, April 8, that it was the victim of a targeted cyberattack in late March that resulted in the unauthorized transfer of more than 50 bitcoin from corporate accounts. According to a Form 8-K filed with the Securities and Exchange Commission, the breach was first discovered March 23, 2026.
An unauthorized party infiltrated the company’s internal information technology systems, eventually gaining control of credentials for digital asset settlement accounts. The intruder siphoned 50.903 bitcoin from company-controlled wallets. At the time of the incident, the stolen assets were valued at approximately $3.665 million.
Despite the loss, Bitcoin Depot emphasized that the breach appears to have been localized to its corporate environment. The company stated that customer platforms remained unaffected and maintained that user data and environments were not breached.
“The Company has not identified evidence that customer personally identifiable information was accessed or exfiltrated in connection with the incident; however, the investigation remains ongoing,” the company stated in the filing.
Upon detecting the intrusion, the ATM operator activated emergency response protocols, engaged third-party cybersecurity specialists and notified law enforcement. The company is currently working to harden its infrastructure to prevent future breaches.
While the company initially stated the incident had not “materially impacted” daily operations, management now considers the event material due to the potential for “reputational harm, legal, regulatory, and response costs.” The company added that while it holds insurance policies for cybersecurity incidents, there is no guarantee the coverage will fully reimburse the $3.665 million loss.
The company said it does not believe the theft will have a long-term impact on its overall financial condition or its network of bitcoin ATMs across North America.
