Bitcoin ATMs are a rapidly growing presence in the United States and, some experts say, a rapidly growing cybercrime menace. ATMs dealing in bitcoin are similar to their cash cousins: there are PINs to punch and withdrawal fees, just like any other ATM.

Unlike cash ATMs, though, the high value of crypto makes them prime targets for hackers. So, while a cash ATM tucked away between the snack cakes and energy drinks at a gas station may not draw much attention, a bitcoin ATM gets more scrutiny from bad actors.

“It’s clear that these machines are particularly vulnerable to both physical and cyber threats, making them a prime target for hackers and thieves,” said Timothy Bates, clinical professor of cybersecurity at the University of Michigan’s College of Innovation and Technology.

Bitcoin ATMs can be susceptible to attacks where hackers install malware on the machines to capture private keys, steal funds, or manipulate transactions, which Bates said is “especially concerning for ATMs that may not receive regular software updates or security patches.” Network vulnerabilities are also a weak spot. “If the machine’s network communications are not adequately secured, attackers can intercept data transfers between the ATM and the server, leading to data theft or unauthorized access,” Bates said.

Whether it’s hackers or scammers, the government is sounding the alarm about bitcoin ATMs. The Federal Trade Commission reported this week that scam incidents have risen by 1,000% since 2020.

Ironically, a bitcoin ATM’s risks are directly related to its strengths, according to Joe Dobson, principal analyst at Mandiant, a Google Cloud-owned cybersecurity company. Bitcoin is decentralized, permission-less, and immutable. “A transaction cannot be reversed or recalled if funds are deposited to the wrong address,”  Dobson said. And while many crypto bulls find bitcoin’s lack of governance appealing, that can be problematic in ATMs. “There is no governing body within bitcoin dictating who can or cannot run a bitcoin ATM, hence many independent organizations operate the ATMs,”  Dobson said.

There are also old criminal tricks that might be reversible in a traditional banking situation, but in the world of bitcoin, that is not so. For example, someone could maliciously slip their personal deposit slips into the stack at the bank, tricking folks into depositing money into their account. “A similar attack can happen with bitcoin ATMs,” Dobson said. “If an attacker compromises a bitcoin ATM, they may change the receiving wallet address (or ‘account number’), effectively stealing user funds.”

But in addition to old tricks, there are newer threats bitcoin ATMs introduce that cash ATMs do not face. Many bitcoin ATMs require personally identifiable information, such as an ID or even a Social Security number to comply with financial industry Know Your Customer (KYC) requirements. This information could be at risk if a bitcoin ATM is compromised.

In Middletown, Ohio, at the Middletown Food Mart in a hollowed-out end of town, a Bitcoin Depot ATM sits opposite a regular cash ATM, blending in among the potato chips, bottled water, and beer. Middletown’s claim to fame lately is as the hometown of Donald Trump’s running mate Ohio Senator J.D. Vance, who has refashioned himself, similar to Trump, as a pro-cryptocurrency warrior. The Middletown Food Mart sits across the street from where Vance grew up.

‘Elon Musk told me to do it.’

Sai Patel, whose family owns Middletown Food Mart, says the bitcoin ATM isn’t very busy.

“Maybe once a month someone comes in to use it,” Patel said. And if it is someone new, Patel will patiently explain how the machine works. He also keeps an eye out for unusual activity. Although the bitcoin ATM isn’t exactly drawing crowds, Patel says a surprising number of senior citizens show up at the kiosk, alarming given the rise of bitcoin ATM scams targeting seniors.

“Elderly people come in and use it,” Patel said.

He described one encounter where an elderly woman entered his shop and headed for the bitcoin ATM, then attempted to send a lot of money somewhere but had questions about using the machine. When Patel asked the woman a few questions as to why, she said, “Elon Musk told me to do it.” Patel quickly realized she had fallen prey to a scam. “I told her, no, no, no, it’s a scam,” Patel said, and he stopped her from dumping her life savings into the machine.

Alice Frei, head of security and compliance at blockchain communications & consulting agency Outset PR, says bitcoin ATM fraud is costly, enhanced by the sometimes shadowy world of crypto.

“Cryptocurrencies are easily exchanged online, often without clear identification of the parties involved. Criminals exploit this anonymity and move money almost invisibly, often employing techniques such as cross-blockchain ‘bridges’ to further obscure transactions,” she said. 

And then there’s the fact that an ATM scam probably doesn’t originate in the town where it occurs. “Many crypto exchanges involved in these activities are based offshore, beyond the reach of regulators, making it difficult to trace and recover stolen funds,” Frei added.

Basic steps to avoid bitcoin ATM scams

To protect against these scams, users should be cautious and skeptical of any request to pay through a bitcoin ATM. Legitimate businesses rarely, if ever, demand payment in bitcoin through a machine.

“Verifying the legitimacy of a transaction, particularly checking the recipient’s wallet for connections to questionable entities is crucial,” Frei said, adding that users should also use licensed ATMs from reputable operators to reduce the risk.

Frei said there are steps that users can take to verify the ownership and legitimacy of a bitcoin ATM or parties involved in transactions.

“You can verify the recipient address by checking for flagged activity on platforms like Chainabuse and running an AML check on the address using available tools,” she said, If these tools show the risk score above 70%, it’s advisable to avoid sending money. “Instead, contact the ATM operator or the person who provided the address to clarify the situation,” Frei added.

According to Frei, data shows that nearly 74% of ATMs globally are managed by just 10 operators.

The largest operator of bitcoin ATMs, Bitcoin Depot, operates over 8,000 ATMs. Its CEO Brandon Mintz says the company’s machines are designed to deter hackers. But he also disputes the claims that bitcoin ATMs are major hacking targets.

“Bitcoin ATMs aren’t typically high-priority targets for cybercriminals due to the separation of the hardware and the bitcoin wallet environments,” Mintz said. Bitcoin Depot does not store any bitcoin locally at a bitcoin ATM, and there are many layers of verification and approval processes that prevent unauthorized access to the Bitcoin Depot wallet, he said.

Additionally, Mintz said, most bitcoin ATMs, including Bitcoin Depot’s, only accept cash, so this removes the ability for criminals to use card skimmers like they can install on traditional cash ATMs. However, he says users do need to be aware of scams, and some of the same basic protocols that protect consumers from old-fashioned financial scams apply to the world of cryptocurrency as well.

“Customers of bitcoin ATMs should never send bitcoin or other cryptocurrencies to unknown digital wallets or individuals they don’t know and trust. It’s important to remain vigilant and skeptical of anyone asking for cryptocurrency payments, especially if the request comes with a sense of urgency or threat,”  Mintz said.

As the market leader, Bitcoin Depot has been a target of litigation and the company disclosed in its S-1 filing before going public that its users “have been and could be targeted in cybersecurity incidents like an account takeover.” A South Carolina woman sued Bitcoin Depot after falling victim to an alleged cryptocurrency scam. In another instance, authorities in Texas intervened to return money from a Bitcoin Depot ATM after a woman fell victim to a scam.

And that points to a central irony of bitcoin and the bitcoin ATM, products of technology, but ones where the most powerful weapon against fraud isn’t more technology but responsibility, Dobson said. “User responsibility is paramount in cryptocurrency. There is little recompense if something goes awry. The onus is largely on the user to take steps.”