Bitcoin ATM company Coin Cloud got hacked. Even its new owners don’t know how

20 views 7:38 am 0 Comments December 19, 2023

In November, the cybersecurity collective vx-underground wrote on X, formerly Twitter, that unknown hackers were claiming to have breached Coin Cloud, a bankrupt Bitcoin ATM company.

According to vx-underground, the hackers claimed to have stolen 70,000 pictures of customers taken from cameras embedded in the ATMs, as well as the personal data of 300,000 customers, which is alleged to include, “Social Security Numbers, date of birth, First Name, Last Name, e-mail address, Telephone Number, Current Occupation, Physical Address, and more.”

Nobody has claimed the hack publicly. A month on, what really happened to Coin Cloud remains a mystery, even according to the company’s new owner.

Coin Cloud was a company that maintained thousands of Bitcoin ATMs across the U.S. and Brazil, according to its official website, until the company filed for bankruptcy in February. In July, Genesis Coin, another Bitcoin ATM provider, acquired 5,700 ATMs from the since-defunct Coin Cloud, according to a press release published at the time. Genesis Coin was itself acquired earlier in January by Andrew Barnard and an associate, who owned another cryptocurrency ATM company called Bitstop.

Contact Us

Do you have more information about the Coin Cloud hack? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or email lorenzo@techcrunch.com. You also can contact TechCrunch via SecureDrop.

Barnard, who serves as the CEO of Bitcoin ATM, the re-branded company after the purchase of some Coin Cloud assets in the bankruptcy proceedings, told TechCrunch that his company launched an investigation after the vx-underground tweet, but it couldn’t conclude when the breach happened or who was responsible, and he himself described the incident as “a mystery.”

“The data breach happened a while ago as Coin Cloud has been hacked multiple times in the past when they were still an operating company,” said Barnard. “I believe that data is just now being ransomed. It’s impossible to say [when] as there were little controls throughout the software development process and multiple international contractors had access to source code that contained secrets within it to access the [database],” Barnard said in an email.

“It doesn’t look like the services which Coin Cloud kept alive were recently breached from what we were shown,” added Barnard. “Therefore it’s reasonable to assume this is data that has already been stolen from one of the previous times Coin Cloud was hacked. It’s an assumption, but a reasonable one. It’s impossible to really say when the data was compromised or who did it. So many vendors and internal employees had access to it that it could have happened at many different times over the years.”

Barnard said that if someone obtained the source code, which contained the admin credentials to the database, the hackers “would have access to all the [Know Your Customer] information of customers.”

Know Your Customer, or KYC, are checks carried out by tech and financial companies for verifying a person’s identity to prevent fraud and money laundering. KYC checks often rely on customers submitting scans of their identity documents.

A former Coin Cloud employee, who asked to remain anonymous, told TechCrunch that Coin Cloud was “an absolute disaster to work for.”

“We didn’t have a security team,” the former employee said, adding that she believes Coin Cloud got hacked at least once last year, and that the company stored a lot of data in plaintext, meaning it wasn’t encrypted.