Bitcoin ATMs are a rapidly growing presence in the United States and, some experts say, a rapidly growing cybercrime menace. ATMs dealing in bitcoin are similar to their cash cousins: there are PINs to punch and withdrawal fees, just like any other ATM.
Unlike cash ATMs, though, the high value of crypto makes them prime targets for hackers. So, while a cash ATM tucked away between the snack cakes and energy drinks at a gas station may not draw much attention, a bitcoin ATM gets more scrutiny from bad actors.
“It’s clear that these machines are particularly vulnerable to both physical and cyber threats, making them a prime target for hackers and thieves,” said Timothy Bates, clinical professor of cybersecurityat the University of Michigan’s College of Innovation and Technology.
Bitcoin ATMs can be susceptible to attacks where hackers install malware on the machines to capture private keys, steal funds, or manipulate transactions, which Bates said is “especially concerning for ATMs that may not receive regular software updates or security patches.” Network vulnerabilities are also a weak spot. “If the machine’s network communications are not adequately secured, attackers can intercept data transfers between the ATM and the server, leading to data theft or unauthorized access,” Bates said.
Whether it’s hackers or scammers, the government is sounding the alarm about bitcoin ATMs. The Federal Trade Commission reported this week that scam incidents have risen by 1,000% since 2020.
Ironically, a bitcoin ATM’s risks are directly related to its strengths, according to Joe Dobson, principal analyst at Mandiant, a Google Cloud-owned cybersecurity company. Bitcoin is decentralized, permission-less, and immutable. “A transaction cannot be reversed or recalled if funds are deposited to the wrong address,” Dobson said. And while many crypto bulls find bitcoin’s lack of governance appealing, that can be problematic in ATMs. “There is no governing body within bitcoin dictating who can or cannot run a bitcoin ATM, hence many independent organizations operate the ATMs,” Dobson said.
There are also old criminal tricks that might be reversible in a traditional banking situation, but in the world of bitcoin, that is not so. For example, someone could maliciously slip their personal deposit slips into the stack at the bank, tricking folks into depositing money into their account. “A similar attack can happen with bitcoin ATMs,” Dobson said. “If an attacker compromises a bitcoin ATM, they may change the receiving wallet address (or ‘account number’), effectively stealing user funds.”
But in addition to old tricks, there are newer threats bitcoin ATMs introduce that cash ATMs do not face. Many bitcoin ATMs require personally identifiable information, such as an ID or even a Social Security number to comply with financial industry Know Your Customer (KYC) requirements. This information could be at risk if a bitcoin ATM is compromised.
In Middletown, Ohio, at the Middletown Food Mart in a hollowed-out end of town, a Bitcoin Depot ATM sits opposite a regular cash ATM, blending in among the potato chips, bottled water, and beer. Middletown’s claim to fame lately is as the hometown of Donald Trump’s running mate Ohio Senator J.D. Vance, who has refashioned himself, similar to Trump, as a pro-cryptocurrency warrior. The Middletown Food Mart sits across the street from where Vance grew up.
‘Elon Musk told me to do it.’
Sai Patel, whose family owns Middletown Food Mart, says the bitcoin ATM isn’t very busy.
“Maybe once a month someone comes in to use it,” Patel said. And if it is someone new, Patel will patiently explain how the machine works. He also keeps an eye out for unusual activity. Although the bitcoin ATM isn’t exactly drawing crowds, Patel says a surprising number of senior citizens show up at the kiosk, alarming given the rise of bitcoin ATM scams targeting seniors.
“Elderly people come in and use it,” Patel said.
He described one encounter where an elderly woman entered his shop and headed for the bitcoin ATM, then attempted to send a lot of money somewhere but had questions about using the machine. When Patel asked the woman a few questions as to why, she said, “Elon Musk told me to do it.” Patel quickly realized she had fallen prey to a scam. “I told her, no, no, no, it’s a scam,” Patel said, and he stopped her from dumping her life savings into the machine.
Alice Frei, head of security and compliance at blockchain communications & consulting agency Outset PR, says bitcoin ATM fraud is costly, enhanced by the sometimes shadowy world of crypto.
“Cryptocurrencies are easily exchanged online, often without clear identification of the parties involved. Criminals exploit this anonymity and move money almost invisibly, often employing techniques such as cross-blockchain ‘bridges’ to further obscure transactions,” she said.
And then there’s the fact that an ATM scam probably doesn’t originate in the town where it occurs. “Many crypto exchanges involved in these activities are based offshore, beyond the reach of regulators, making it difficult to trace and recover stolen funds,” Frei added.
Basic steps to avoid bitcoin ATM scams
To protect against these scams, users should be cautious and skeptical of any request to pay through a bitcoin ATM. Legitimate businesses rarely, if ever, demand payment in bitcoin through a machine.
“Verifying the legitimacy of a transaction, particularly checking the recipient’s wallet for connections to questionable entities is crucial,” Frei said, adding that users should also use licensed ATMs from reputable operators to reduce the risk.
Frei said there are steps that users can take to verify the ownership and legitimacy of a bitcoin ATM or parties involved in transactions.
“You can verify the recipient address by checking for flagged activity on platforms like Chainabuse and running an AML check on the address using available tools,” she said, If these tools show the risk score above 70%, it’s advisable to avoid sending money. “Instead, contact the ATM operator or the person who provided the address to clarify the situation,” Frei added.
According to Frei, data shows that nearly 74% of ATMs globally are managed by just 10 operators.
The largest operator of bitcoin ATMs, Bitcoin Depot, operates over 8,000 ATMs. Its CEO Brandon Mintz says the company’s machines are designed to deter hackers. But he also disputes the claims that bitcoin ATMs are major hacking targets.
“Bitcoin ATMs aren’t typically high-priority targets for cybercriminals due to the separation of the hardware and the bitcoin wallet environments,” Mintz said. Bitcoin Depot does not store any bitcoin locally at a bitcoin ATM, and there are many layers of verification and approval processes that prevent unauthorized access to the Bitcoin Depot wallet, he said.
Additionally, Mintz said, most bitcoin ATMs, including Bitcoin Depot’s, only accept cash, so this removes the ability for criminals to use card skimmers like they can install on traditional cash ATMs. However, he says users do need to be aware of scams, and some of the same basic protocols that protect consumers from old-fashioned financial scams apply to the world of cryptocurrency as well.
“Customers of bitcoin ATMs should never send bitcoin or other cryptocurrencies to unknown digital wallets or individuals they don’t know and trust. It’s important to remain vigilant and skeptical of anyone asking for cryptocurrency payments, especially if the request comes with a sense of urgency or threat,” Mintz said.
As the market leader, Bitcoin Depot has been a target of litigation and the company disclosed in its S-1 filing before going public that its users “have been and could be targeted in cybersecurity incidents like an account takeover.” A South Carolina woman sued Bitcoin Depot after falling victim to an alleged cryptocurrency scam. In another instance, authorities in Texas intervened to return money from a Bitcoin Depot ATM after a woman fell victim to a scam.
And that points to a central irony of bitcoin and the bitcoin ATM, products of technology, but ones where the most powerful weapon against fraud isn’t more technology but responsibility, Dobson said. “User responsibility is paramount in cryptocurrency. There is little recompense if something goes awry. The onus is largely on the user to take steps.”
Paxton sued Google in 2022 for allegedly unlawfully tracking and collecting the private data of users.
The attorney general said the settlement, which covers allegations in two separate lawsuits against the search engine and app giant, dwarfed all past settlements by other states with Google for similar data privacy violations.
Google’s settlement comes nearly 10 months after Paxton obtained a $1.4 billion settlement for Texas from Meta, the parent company of Facebook and Instagram, to resolve claims of unauthorized use of biometric data by users of those popular social media platforms.
“In Texas, Big Tech is not above the law,” Paxton said in a statement on Friday.
“For years, Google secretly tracked people’s movements, private searches, and even their voiceprints and facial geometry through their products and services. I fought back and won,” said Paxton.
“This $1.375 billion settlement is a major win for Texans’ privacy and tells companies that they will pay for abusing our trust.”
Google spokesman Jose Castaneda said the company did not admit any wrongdoing or liability in the settlement, which involves allegations related to the Chrome browser’s incognito setting, disclosures related to location history on the Google Maps app, and biometric claims related to Google Photo.
Castaneda said Google does not have to make any changes to products in connection with the settlement and that all of the policy changes that the company made in connection with the allegations were previously announced or implemented.
“This settles a raft of old claims, many of which have already been resolved elsewhere, concerning product policies we have long since changed,” Castaneda said.
“We are pleased to put them behind us, and we will continue to build robust privacy controls into our services.”
Virtual care company Omada Health filed for an IPO on Friday, the latest digital health company that’s signaled its intent to hit the public markets despite a turbulent economy.
Founded in 2012, Omada offers virtual care programs to support patients with chronic conditions like prediabetes, diabetes and hypertension. The company describes its approach as a “between-visit care model” that is complementary to the broader health-care ecosystem, according to its prospectus.
Revenue increased 57% in the first quarter to $55 million, up from $35.1 million during the same period last year, the filing said. The San Francisco-based company generated $169.8 million in revenue during 2024, up 38% from $122.8 million the previous year.
Omada’s net loss narrowed to $9.4 million during its first quarter from $19 million during the same period last year. It reported a net loss of $47.1 million in 2024, compared to a $67.5 million net loss during 2023.
The IPO market has been largely dormant across the tech sector for the past three years, and within digital health, it’s been almost completely dead. After President Donald Trump announced a sweeping tariff policy that plunged U.S. markets into turmoil last month, taking a company public is an even riskier endeavor. Online lender Klarna delayed its long-anticipated IPO, as did ticket marketplace StubHub.
But Omada Health isn’t the first digital health company to file for its public market debut this year. Virtual physical therapy startup Hinge Health filed its prospectus in March, and provided an update with its first-quarter earnings on Monday, a signal to investors that it’s looking to forge ahead.
Omada contracts with employers, and the company said it works with more than 2,000 customers and supports 679,000 members as of March 31. More than 156 million Americans suffer from at least one chronic condition, so there is a significant market opportunity, according to the company’s filing.
In 2022, Omada announced a $192 million funding round that pushed its valuation above $1 billion. U.S. Venture Partners, Andreessen Horowitz and Fidelity’s FMR LLC are the largest outside shareholders in the company, each owning between 9% and 10% of the stock.
“To our prospective shareholders, thank you for learning more about Omada. I invite you join our journey,” Omada co-founder and CEO Sean Duffy said in the filing. “In front of us is a unique chance to build a promising and successful business while truly changing lives.”
Liz Reid, vice president, search, Google speaks during an event in New Delhi on December 19, 2022.
Sajjad Hussain | AFP | Getty Images
Testimony in Google‘s antitrust search remedies trial that wrapped hearings Friday shows how the company is calculating possible changes proposed by the Department of Justice.
Google head of search Liz Reid testified in court Tuesday that the company would need to divert between 1,000 and 2,000 employees, roughly 20% of Google’s search organization, to carry out some of the proposed remedies, a source with knowledge of the proceedings confirmed.
The testimony comes during the final days of the remedies trial, which will determine what penalties should be taken against Google after a judge last year ruled the company has held an illegal monopoly in its core market of internet search.
The DOJ, which filed the original antitrust suit and proposed remedies, asked the judge to force Google to share its data used for generating search results, such as click data. It also asked for the company to remove the use of “compelled syndication,” which refers to the practice of making certain deals with companies to ensure its search engine remains the default choice in browsers and smartphones.
Read more CNBC tech news
Google pays Apple billions of dollars per year to be the default search engine on iPhones. It’s lucrative for Apple and a valuable way for Google to get more search volume and users.
Apple’s SVP of Services Eddy Cue testified Wednesday that Apple chooses to feature Google because it’s “the best search engine.”
The DOJ also proposed the company divest its Chrome browser but that was not included in Reid’s initial calculation, the source confirmed.
Reid on Tuesday said Google’s proprietary “Knowledge Graph” database, which it uses to surface search results, contains more than 500 billion facts, according to the source, and that Google has invested more than $20 billion in engineering costs and content acquisition over more than a decade.
“People ask Google questions they wouldn’t ask anyone else,” she said, according to the source.
Reid echoed Google’s argument that sharing its data would create privacy risks, the source confirmed.
Closing arguments for the search remedies trial will take place May 29th and 30th, followed by the judge’s decision expected in August.
The company faces a separate remedies trial for its advertising tech business, which is scheduled to begin Sept. 22.
