Kraken Security Labs, a research division of Kraken, a major US cryptocurrency exchange, reported on the 29th that it has found some vulnerabilities in several Bitcoin ATMs.
According to their blog post, the lab has found multiple hardware and software vulnerabilities in the General Bytes BATMtwo (GBBATM2). Severe risk of unauthorized use was discovered in administrative QR codes, Android operating software, ATM management systems, and even machine hardware cases.
Based in the Czech Republic, General Bytes is the world’s second-largest Bitcoin ATM provider. It has about 6,380 Bitcoin ATMs in the world, accounting for about 23% of the Bitcoin ATM market.
Out of it, 5300 of the ATMs reside in the United States and Canada and over 820 are in Europe. The company’s “BATMtwo” series supports more than 40 cryptocurrencies such as Ethereum (, Litecoin, and Dogecoin in addition to Bitcoin.
Kraken Security Labs previously reported ATM vulnerabilities to General Bytes in April 2021. The company then released patches to their backend system (CAS) and alerted their customers. However, Kraken noted that some of the issues may still require hardware revisions.
The study noted that anyone with access to the default management QR code may be able to manipulate ATMs illegally. The survey ordered multiple ATMs, but they had the same default key. It revealed that many ATM owners have not changed their administrative code for quite some time.
The research also revealed that when exchanging the cash box, anyone can access the door behind the ATM and work on the internal embedded computer, webcam, fingerprint reader, and more. The lack of alarms to warn also significantly increased the risk.
Kraken has now called on ATM operators to change the default QR admin code, update the CAS server, and place the ATMs in trusted locations for security.