The financial industry has seen several changes in terms of technology, including new ATM capabilities and the increasing use and popularity of cryptocurrencies. These two intersect in what’s known as a Bitcoin (BTC) ATM.
Although it looks similar to a regular ATM, a Bitcoin ATM differs in certain important aspects. Perhaps the most notable difference is that a Bitcoin ATM does not connect to a bank account. Instead it connects to a cryptocurrency exchange, which is a platform for buying and selling cryptocurrencies like bitcoin. The purchased bitcoins go to the customer’s digital wallet. In essence, a Bitcoin ATM is not really an ATM in the traditional sense of the word but is rather more like a kiosk or terminal that allows users to connect to exchanges.
But how safe are these Bitcoin ATMs?
Regular ATMs are popular targets for cybercriminals, and we have recenty noted a shift away from physical tools such as skimmers to malware-based attacks. Bitcoin ATM malware has so far been much less talked about, perhaps because of the relatively low number of machines currently available globally.
With the increasing popularity and real-world use of cryptocurrencies and the fact that cybercriminals will always try to exploit something that can make money for them, mining malware has been prevalent in the past year. It shouldn’t come as a surprise then that malware targeting Bitcoin ATMs will pop up in underground markets.
Unlike regular ATMs, there is no single set of verification or security standards for Bitcoin ATMs. For example, instead of requiring an ATM, credit, or debit card for transactions, a Bitcoin ATM involves the use of mobile numbers and ID cards for user identity verification. The user then has to input a wallet address or scan its QR code. The wallets used to store digital currencies are not standardized either and are often downloaded from app stores, posing another security problem. Given the seemingly Wild West nature of Bitcoin ATM security, cybercriminals are sure to take advantage.
While searching through underground forums, we noticed an apparently established and respected user offering Bitcoin ATM malware (see Figure 1).
Figure 1. Listing for a Bitcoin ATM malware
The actual listing for the malware contains more details. Buyers receive not just the malware but also a ready-to-use card that comes with EMV and NFC capabilities. According to the listing, the malware exploits a service vulnerability that allows the user to receive bitcoins worth up to 6,750 in U.S. dollars, euros, or pounds. The malware does not come cheap, as it is being sold for US$25,000. The number of reviews (over 100) shows that the seller has earned quite a large amount from various offerings, including this malware.
Figure 2. Detailed listing for BTC ATM malware
Another thread reveals that the seller is also offering regular ATM malware that has been updated for EMV standards. The posts in the thread further expound on how the malware works, including the use of a menu vulnerability to disconnect the machine from the network to disable alarms.
Figure 3. Listing for EMV-updated ATM malware
In Figure 4, we can see that the seller offers a range of financial-related malware and compromised accounts, which indicates that this person is an experienced cybercriminal who seems to be constantly expanding his wares.
Figure 4. Financial-related malware and compromised accounts
What we can glean from this is that cybercriminals interested in amassing bitcoins and other cryptocurrencies are no longer limiting themselves to cryptomining malware. As long as there is money to be made — and there is quite a bit of money in cryptocurrencies — cybercriminals will continue to devise tools and to expand to lucrative new “markets.” As the number of Bitcoin ATMs grows, we can expect to see more forms of malware targeting cryptocurrency ATMs in the future.