Bitcoin ATMs are a rapidly growing presence in the United States and, some experts say, a rapidly growing cybercrime menace. ATMs dealing in bitcoin are similar to their cash cousins: there are PINs to punch and withdrawal fees, just like any other ATM.
Unlike cash ATMs, though, the high value of crypto makes them prime targets for hackers. So, while a cash ATM tucked away between the snack cakes and energy drinks at a gas station may not draw much attention, a bitcoin ATM gets more scrutiny from bad actors.
“It’s clear that these machines are particularly vulnerable to both physical and cyber threats, making them a prime target for hackers and thieves,” said Timothy Bates, clinical professor of cybersecurityat the University of Michigan’s College of Innovation and Technology.
Bitcoin ATMs can be susceptible to attacks where hackers install malware on the machines to capture private keys, steal funds, or manipulate transactions, which Bates said is “especially concerning for ATMs that may not receive regular software updates or security patches.” Network vulnerabilities are also a weak spot. “If the machine’s network communications are not adequately secured, attackers can intercept data transfers between the ATM and the server, leading to data theft or unauthorized access,” Bates said.
Whether it’s hackers or scammers, the government is sounding the alarm about bitcoin ATMs. The Federal Trade Commission reported this week that scam incidents have risen by 1,000% since 2020.
Ironically, a bitcoin ATM’s risks are directly related to its strengths, according to Joe Dobson, principal analyst at Mandiant, a Google Cloud-owned cybersecurity company. Bitcoin is decentralized, permission-less, and immutable. “A transaction cannot be reversed or recalled if funds are deposited to the wrong address,” Dobson said. And while many crypto bulls find bitcoin’s lack of governance appealing, that can be problematic in ATMs. “There is no governing body within bitcoin dictating who can or cannot run a bitcoin ATM, hence many independent organizations operate the ATMs,” Dobson said.
There are also old criminal tricks that might be reversible in a traditional banking situation, but in the world of bitcoin, that is not so. For example, someone could maliciously slip their personal deposit slips into the stack at the bank, tricking folks into depositing money into their account. “A similar attack can happen with bitcoin ATMs,” Dobson said. “If an attacker compromises a bitcoin ATM, they may change the receiving wallet address (or ‘account number’), effectively stealing user funds.”
But in addition to old tricks, there are newer threats bitcoin ATMs introduce that cash ATMs do not face. Many bitcoin ATMs require personally identifiable information, such as an ID or even a Social Security number to comply with financial industry Know Your Customer (KYC) requirements. This information could be at risk if a bitcoin ATM is compromised.
In Middletown, Ohio, at the Middletown Food Mart in a hollowed-out end of town, a Bitcoin Depot ATM sits opposite a regular cash ATM, blending in among the potato chips, bottled water, and beer. Middletown’s claim to fame lately is as the hometown of Donald Trump’s running mate Ohio Senator J.D. Vance, who has refashioned himself, similar to Trump, as a pro-cryptocurrency warrior. The Middletown Food Mart sits across the street from where Vance grew up.
‘Elon Musk told me to do it.’
Sai Patel, whose family owns Middletown Food Mart, says the bitcoin ATM isn’t very busy.
“Maybe once a month someone comes in to use it,” Patel said. And if it is someone new, Patel will patiently explain how the machine works. He also keeps an eye out for unusual activity. Although the bitcoin ATM isn’t exactly drawing crowds, Patel says a surprising number of senior citizens show up at the kiosk, alarming given the rise of bitcoin ATM scams targeting seniors.
“Elderly people come in and use it,” Patel said.
He described one encounter where an elderly woman entered his shop and headed for the bitcoin ATM, then attempted to send a lot of money somewhere but had questions about using the machine. When Patel asked the woman a few questions as to why, she said, “Elon Musk told me to do it.” Patel quickly realized she had fallen prey to a scam. “I told her, no, no, no, it’s a scam,” Patel said, and he stopped her from dumping her life savings into the machine.
Alice Frei, head of security and compliance at blockchain communications & consulting agency Outset PR, says bitcoin ATM fraud is costly, enhanced by the sometimes shadowy world of crypto.
“Cryptocurrencies are easily exchanged online, often without clear identification of the parties involved. Criminals exploit this anonymity and move money almost invisibly, often employing techniques such as cross-blockchain ‘bridges’ to further obscure transactions,” she said.
And then there’s the fact that an ATM scam probably doesn’t originate in the town where it occurs. “Many crypto exchanges involved in these activities are based offshore, beyond the reach of regulators, making it difficult to trace and recover stolen funds,” Frei added.
Basic steps to avoid bitcoin ATM scams
To protect against these scams, users should be cautious and skeptical of any request to pay through a bitcoin ATM. Legitimate businesses rarely, if ever, demand payment in bitcoin through a machine.
“Verifying the legitimacy of a transaction, particularly checking the recipient’s wallet for connections to questionable entities is crucial,” Frei said, adding that users should also use licensed ATMs from reputable operators to reduce the risk.
Frei said there are steps that users can take to verify the ownership and legitimacy of a bitcoin ATM or parties involved in transactions.
“You can verify the recipient address by checking for flagged activity on platforms like Chainabuse and running an AML check on the address using available tools,” she said, If these tools show the risk score above 70%, it’s advisable to avoid sending money. “Instead, contact the ATM operator or the person who provided the address to clarify the situation,” Frei added.
According to Frei, data shows that nearly 74% of ATMs globally are managed by just 10 operators.
The largest operator of bitcoin ATMs, Bitcoin Depot, operates over 8,000 ATMs. Its CEO Brandon Mintz says the company’s machines are designed to deter hackers. But he also disputes the claims that bitcoin ATMs are major hacking targets.
“Bitcoin ATMs aren’t typically high-priority targets for cybercriminals due to the separation of the hardware and the bitcoin wallet environments,” Mintz said. Bitcoin Depot does not store any bitcoin locally at a bitcoin ATM, and there are many layers of verification and approval processes that prevent unauthorized access to the Bitcoin Depot wallet, he said.
Additionally, Mintz said, most bitcoin ATMs, including Bitcoin Depot’s, only accept cash, so this removes the ability for criminals to use card skimmers like they can install on traditional cash ATMs. However, he says users do need to be aware of scams, and some of the same basic protocols that protect consumers from old-fashioned financial scams apply to the world of cryptocurrency as well.
“Customers of bitcoin ATMs should never send bitcoin or other cryptocurrencies to unknown digital wallets or individuals they don’t know and trust. It’s important to remain vigilant and skeptical of anyone asking for cryptocurrency payments, especially if the request comes with a sense of urgency or threat,” Mintz said.
As the market leader, Bitcoin Depot has been a target of litigation and the company disclosed in its S-1 filing before going public that its users “have been and could be targeted in cybersecurity incidents like an account takeover.” A South Carolina woman sued Bitcoin Depot after falling victim to an alleged cryptocurrency scam. In another instance, authorities in Texas intervened to return money from a Bitcoin Depot ATM after a woman fell victim to a scam.
And that points to a central irony of bitcoin and the bitcoin ATM, products of technology, but ones where the most powerful weapon against fraud isn’t more technology but responsibility, Dobson said. “User responsibility is paramount in cryptocurrency. There is little recompense if something goes awry. The onus is largely on the user to take steps.”
Startup Figure AI is developing general-purpose humanoid robots.
Figure AI
Figure AI, an Nvidia-backed developer of humanoid robots, was sued by the startup’s former head of product safety who alleged that he was wrongfully terminated after warning top executives that the company’s robots “were powerful enough to fracture a human skull.”
Robert Gruendel, a principal robotic safety engineer, is the plaintiff in the suit filed Friday in a federal court in the Northern District of California. Gruendel’s attorneys describe their client as a whistleblower who was fired in September, days after lodging his “most direct and documented safety complaints.”
The suit lands two months after Figure was valued at $39 billion in a funding round led by Parkway Venture Capital. That’s a 15-fold increase in valuation from early 2024, when the company raised a round from investors including Jeff Bezos, Nvidia, and Microsoft.
In the complaint, Gruendel’s lawyers say the plaintiff warned Figure CEO Brett Adcock and Kyle Edelberg, chief engineer, about the robot’s lethal capabilities, and said one “had already carved a ¼-inch gash into a steel refrigerator door during a malfunction.”
The complaint also says Gruendel warned company leaders not to “downgrade” a “safety road map” that he had been asked to present to two prospective investors who ended up funding the company.
Gruendel worried that a “product safety plan which contributed to their decision to invest” had been “gutted” the same month Figure closed the investment round, a move that “could be interpreted as fraudulent,” the suit says.
The plaintiff’s concerns were “treated as obstacles, not obligations,” and the company cited a “vague ‘change in business direction’ as the pretext” for his termination, according to the suit.
Gruendel is seeking economic, compensatory and punitive damages and demanding a jury trial.
Figure didn’t immediately respond to a request for comment. Nor did attorneys for Gruendel.
The humanoid robot market remains nascent today, with companies like Tesla and Boston Dynamics pursuing futuristic offerings, alongside Figure, while China’s Unitree Robotics is preparing for an IPO. Morgan Stanley said in a report in May that adoption is “likely to accelerate in the 2030s” and could top $5 trillion by 2050.
Concerns about stock valuations in companies tied to artificial intelligence knocked the market around this week. Whether these worries will recede, as they did Friday, or flare up again will certainly be something to watch in the days and weeks ahead. We understand the concerns about valuations in the speculative aspects of the AI trade, such as nuclear stocks and neoclouds. Jim Cramer has repeatedly warned about them. But, in the past week, the broader AI cohort — including real companies that make money and are driving what many are calling the fourth industrial revolution — has been getting hit. We own many of them: Nvidia and Broadcom on the chip side, and GE Vernova and Eaton on the derivative trade of powering these energy-gobbling AI data centers. That’s not what should be happening based on their fundamentals. Outside of valuations, worries also center on capital expenditures and the depreciation that results from massive investments in AI infrastructure. On this point, investors face a choice. You can go with the bears who are glued to their spreadsheets and extrapolating the usable life of tech assets based on history, a seemingly understandable approach, and applying those depreciation rates to their financial models, arguing the chips should be near worthless after three years. Or, you can go with the commentary from management teams running the largest companies driving the AI trade, and what Jim has gleaned from talking with the smartest CEOs in the world. When it comes to the real players driving this AI investment cycle, like the ones we’re invested in, we don’t think valuations are all that high or unreasonable when you consider their growth rates and importance to the U.S., and by extension, the global economy. We’re talking about Nvidia CEO Jensen Huang, who would tell you that advancements in his company’s CUDA software have extended the life of GPU chip platforms to roughly five to six years. Don’t forget, CoreWeave recently re-contracted for H100s from Nvidia, which were released in late 2022. The bears with their spreadsheets would tell you those chips are worthless. However, we know that H100s have held most of their value. Or listen to Lisa Su, CEO of Advanced Micro Devices , who said last week that her customers are at the point now where “they can see the return on the other side” of these massive investments. For our part, we understand the spending concerns and the depreciation issues that will arise if these companies are indeed overstating the useful lives of these assets. However, those who have bet against the likes of Jensen Huang and Lisa Su, or Meta Platforms CEO Mark Zuckerberg, Microsoft CEO Satya Nadella, and others who have driven innovation in the tech world for over a decade, have been burned time and again. While the bears’ concerns aren’t invalid, long-term investors are better off taking their cues from technology experts. AI is real, and it will increasingly lead to productivity gains as adoption ramps up and the technology becomes ingrained in our everyday lives, just as the internet has. We have faith in the management teams of the AI stocks in which we are invested, and while faith is not an investment strategy, that faith is based on a historical track record of strong execution, the knowledge that offerings from these companies are best in class, and scrutiny of their underlying business fundamentals and financial profiles. Siding with these technology expert management teams, over the loud financial expert bears, has kept us on the right side of the trade for years, and we don’t see that changing in the future. (See here for a full list of the stocks in Jim Cramer’s Charitable Trust, including NVDA, AVGO, GEV, ETN, META, MSFT.) As a subscriber to the CNBC Investing Club with Jim Cramer, you will receive a trade alert before Jim makes a trade. Jim waits 45 minutes after sending a trade alert before buying or selling a stock in his charitable trust’s portfolio. If Jim has talked about a stock on CNBC TV, he waits 72 hours after issuing the trade alert before executing the trade. THE ABOVE INVESTING CLUB INFORMATION IS SUBJECT TO OUR TERMS AND CONDITIONS AND PRIVACY POLICY , TOGETHER WITH OUR DISCLAIMER . NO FIDUCIARY OBLIGATION OR DUTY EXISTS, OR IS CREATED, BY VIRTUE OF YOUR RECEIPT OF ANY INFORMATION PROVIDED IN CONNECTION WITH THE INVESTING CLUB. NO SPECIFIC OUTCOME OR PROFIT IS GUARANTEED.
Every weekday, the CNBC Investing Club with Jim Cramer releases the Homestretch — an actionable afternoon update, just in time for the last hour of trading on Wall Street. Markets: The S & P 500 bounced back Friday, recovering from the prior session’s sharp losses. The broad-based index, which was still tracking for a nearly 1.5% weekly decline, started off the session a little shaky as Club stock Nvidia drifted lower after the open. It was looking like concerns about the artificial intelligence trade, which have been dogging the market, were going to dominate back-to-back sessions. But when New York Federal Reserve President John Williams suggested that central bankers could cut interest rates for a third time this year, the market jumped higher. Rate-sensitive stocks saw big gains Friday. Home Depot rose more than 3.5% on the day, mitigating a tough week following Tuesday’s lackluster quarterly release. Eli Lilly hit an all-time high, becoming the first drugmaker to reach a $1 trillion market cap. TJX also topped its all-time high after the off-price retailer behind T.J. Maxx, Marshalls, and HomeGoods, delivered strong quarterly results Wednesday. Carry trade: We’re also monitoring developments in Japan, which is dealing with its own inflation problem and questions about whether to resume interest rate hikes. That brings us to the popular Japanese yen carry trade, which is getting squeezed as borrowing costs there are rising. The yen carry trade involves borrowing yen at a low rate, then converting them into, say, dollars, and investing in higher-yielding foreign assets. That’s all well and good when the cost to borrow yen is low. It’s a different story now that borrowing costs in Japan are hitting 30-year highs. When rates rise, the profit margin on the carry trade gets crunched, or vanishes completely. As a result, investors need to get out, which means forced selling and price action that becomes divorced from fundamentals. It’s unclear if any of this is adding pressure to U.S. markets. We didn’t see anything in the recent quarterly earnings reports from U.S. companies to suggest corporate fundamentals are deteriorating in any meaningful way. That’s why we’re looking for other potential external factors, alongside the well-known concerns about artificial intelligence spending, the depreciation resulting from those capital expenditures, and general worries about consumer sentiment and inflation here in America. Wall Street call: HSBC downgraded Palo Alto Networks to a sell-equivalent rating from a hold following the company’s quarterly earnings report Wednesday. Analysts, who left their $157 price target unchanged, cited decelerating sales growth as the driver of the rerating, describing the quarter as “sufficient, not transformational.” Still, the Club name delivered a beat-and-raise quarter, which topped estimates across every key metric. None of this stopped Palo Alto shares from falling on the release. We chalked the post-earnings decline up to high expectations heading into the quarter, coupled with investor concerns over a new acquisition of cloud management and monitoring company Chronosphere. Palo Alto is still working to close its multi-billion-dollar acquisition of identity security company CyberArk , announced in July. HSBC now argues the stock’s risk-versus-reward is turning negative, with limited potential for upward estimate revisions for fiscal years 2026 and 2027. We disagree with HSBC’s call, given the momentum we’re seeing across Palo Alto’s businesses. The cybersecurity leader is dominating through its “platformization” strategy, which bundles its products and services. Plus, Palo Alto keeps adding net new platformizations each quarter, converting customers to use its security platform, and is on track to reach its fiscal 2030 target. We also like management’s playbook for acquiring businesses just before they see an industry inflection point. With Chronosphere, Palo Alto believes the entire observability industry needs to change due to the growing presence of AI. We’re reiterating our buy-equivalent 1 rating and $225 price target on the stock. Up next: There are no Club earnings reports next week. Outside of the portfolio, Symbotic, Zoom Communications , Semtech , and Fluence Energy will report after Monday’s close. Wall Street will also get a slew of delayed economic data during the shortened holiday trading week. U.S. retail sales and September’s consumer price index are scheduled for release early Tuesday. Durable goods orders and the Conference Board consumer sentiment are released on Wednesday morning. (See here for a full list of the stocks in Jim Cramer’s Charitable Trust.) As a subscriber to the CNBC Investing Club with Jim Cramer, you will receive a trade alert before Jim makes a trade. Jim waits 45 minutes after sending a trade alert before buying or selling a stock in his charitable trust’s portfolio. If Jim has talked about a stock on CNBC TV, he waits 72 hours after issuing the trade alert before executing the trade. THE ABOVE INVESTING CLUB INFORMATION IS SUBJECT TO OUR TERMS AND CONDITIONS AND PRIVACY POLICY , TOGETHER WITH OUR DISCLAIMER . NO FIDUCIARY OBLIGATION OR DUTY EXISTS, OR IS CREATED, BY VIRTUE OF YOUR RECEIPT OF ANY INFORMATION PROVIDED IN CONNECTION WITH THE INVESTING CLUB. NO SPECIFIC OUTCOME OR PROFIT IS GUARANTEED.
