Bitcoin ATMs are a rapidly growing presence in the United States and, some experts say, a rapidly growing cybercrime menace. ATMs dealing in bitcoin are similar to their cash cousins: there are PINs to punch and withdrawal fees, just like any other ATM.
Unlike cash ATMs, though, the high value of crypto makes them prime targets for hackers. So, while a cash ATM tucked away between the snack cakes and energy drinks at a gas station may not draw much attention, a bitcoin ATM gets more scrutiny from bad actors.
“It’s clear that these machines are particularly vulnerable to both physical and cyber threats, making them a prime target for hackers and thieves,” said Timothy Bates, clinical professor of cybersecurityat the University of Michigan’s College of Innovation and Technology.
Bitcoin ATMs can be susceptible to attacks where hackers install malware on the machines to capture private keys, steal funds, or manipulate transactions, which Bates said is “especially concerning for ATMs that may not receive regular software updates or security patches.” Network vulnerabilities are also a weak spot. “If the machine’s network communications are not adequately secured, attackers can intercept data transfers between the ATM and the server, leading to data theft or unauthorized access,” Bates said.
Whether it’s hackers or scammers, the government is sounding the alarm about bitcoin ATMs. The Federal Trade Commission reported this week that scam incidents have risen by 1,000% since 2020.
Ironically, a bitcoin ATM’s risks are directly related to its strengths, according to Joe Dobson, principal analyst at Mandiant, a Google Cloud-owned cybersecurity company. Bitcoin is decentralized, permission-less, and immutable. “A transaction cannot be reversed or recalled if funds are deposited to the wrong address,” Dobson said. And while many crypto bulls find bitcoin’s lack of governance appealing, that can be problematic in ATMs. “There is no governing body within bitcoin dictating who can or cannot run a bitcoin ATM, hence many independent organizations operate the ATMs,” Dobson said.
There are also old criminal tricks that might be reversible in a traditional banking situation, but in the world of bitcoin, that is not so. For example, someone could maliciously slip their personal deposit slips into the stack at the bank, tricking folks into depositing money into their account. “A similar attack can happen with bitcoin ATMs,” Dobson said. “If an attacker compromises a bitcoin ATM, they may change the receiving wallet address (or ‘account number’), effectively stealing user funds.”
But in addition to old tricks, there are newer threats bitcoin ATMs introduce that cash ATMs do not face. Many bitcoin ATMs require personally identifiable information, such as an ID or even a Social Security number to comply with financial industry Know Your Customer (KYC) requirements. This information could be at risk if a bitcoin ATM is compromised.
In Middletown, Ohio, at the Middletown Food Mart in a hollowed-out end of town, a Bitcoin Depot ATM sits opposite a regular cash ATM, blending in among the potato chips, bottled water, and beer. Middletown’s claim to fame lately is as the hometown of Donald Trump’s running mate Ohio Senator J.D. Vance, who has refashioned himself, similar to Trump, as a pro-cryptocurrency warrior. The Middletown Food Mart sits across the street from where Vance grew up.
‘Elon Musk told me to do it.’
Sai Patel, whose family owns Middletown Food Mart, says the bitcoin ATM isn’t very busy.
“Maybe once a month someone comes in to use it,” Patel said. And if it is someone new, Patel will patiently explain how the machine works. He also keeps an eye out for unusual activity. Although the bitcoin ATM isn’t exactly drawing crowds, Patel says a surprising number of senior citizens show up at the kiosk, alarming given the rise of bitcoin ATM scams targeting seniors.
“Elderly people come in and use it,” Patel said.
He described one encounter where an elderly woman entered his shop and headed for the bitcoin ATM, then attempted to send a lot of money somewhere but had questions about using the machine. When Patel asked the woman a few questions as to why, she said, “Elon Musk told me to do it.” Patel quickly realized she had fallen prey to a scam. “I told her, no, no, no, it’s a scam,” Patel said, and he stopped her from dumping her life savings into the machine.
Alice Frei, head of security and compliance at blockchain communications & consulting agency Outset PR, says bitcoin ATM fraud is costly, enhanced by the sometimes shadowy world of crypto.
“Cryptocurrencies are easily exchanged online, often without clear identification of the parties involved. Criminals exploit this anonymity and move money almost invisibly, often employing techniques such as cross-blockchain ‘bridges’ to further obscure transactions,” she said.
And then there’s the fact that an ATM scam probably doesn’t originate in the town where it occurs. “Many crypto exchanges involved in these activities are based offshore, beyond the reach of regulators, making it difficult to trace and recover stolen funds,” Frei added.
Basic steps to avoid bitcoin ATM scams
To protect against these scams, users should be cautious and skeptical of any request to pay through a bitcoin ATM. Legitimate businesses rarely, if ever, demand payment in bitcoin through a machine.
“Verifying the legitimacy of a transaction, particularly checking the recipient’s wallet for connections to questionable entities is crucial,” Frei said, adding that users should also use licensed ATMs from reputable operators to reduce the risk.
Frei said there are steps that users can take to verify the ownership and legitimacy of a bitcoin ATM or parties involved in transactions.
“You can verify the recipient address by checking for flagged activity on platforms like Chainabuse and running an AML check on the address using available tools,” she said, If these tools show the risk score above 70%, it’s advisable to avoid sending money. “Instead, contact the ATM operator or the person who provided the address to clarify the situation,” Frei added.
According to Frei, data shows that nearly 74% of ATMs globally are managed by just 10 operators.
The largest operator of bitcoin ATMs, Bitcoin Depot, operates over 8,000 ATMs. Its CEO Brandon Mintz says the company’s machines are designed to deter hackers. But he also disputes the claims that bitcoin ATMs are major hacking targets.
“Bitcoin ATMs aren’t typically high-priority targets for cybercriminals due to the separation of the hardware and the bitcoin wallet environments,” Mintz said. Bitcoin Depot does not store any bitcoin locally at a bitcoin ATM, and there are many layers of verification and approval processes that prevent unauthorized access to the Bitcoin Depot wallet, he said.
Additionally, Mintz said, most bitcoin ATMs, including Bitcoin Depot’s, only accept cash, so this removes the ability for criminals to use card skimmers like they can install on traditional cash ATMs. However, he says users do need to be aware of scams, and some of the same basic protocols that protect consumers from old-fashioned financial scams apply to the world of cryptocurrency as well.
“Customers of bitcoin ATMs should never send bitcoin or other cryptocurrencies to unknown digital wallets or individuals they don’t know and trust. It’s important to remain vigilant and skeptical of anyone asking for cryptocurrency payments, especially if the request comes with a sense of urgency or threat,” Mintz said.
As the market leader, Bitcoin Depot has been a target of litigation and the company disclosed in its S-1 filing before going public that its users “have been and could be targeted in cybersecurity incidents like an account takeover.” A South Carolina woman sued Bitcoin Depot after falling victim to an alleged cryptocurrency scam. In another instance, authorities in Texas intervened to return money from a Bitcoin Depot ATM after a woman fell victim to a scam.
And that points to a central irony of bitcoin and the bitcoin ATM, products of technology, but ones where the most powerful weapon against fraud isn’t more technology but responsibility, Dobson said. “User responsibility is paramount in cryptocurrency. There is little recompense if something goes awry. The onus is largely on the user to take steps.”
Grabango, a venture-backed startup that was vying to take on Amazon in cashierless checkout technology, is shutting down after it was unable to raise enough money to stay afloat.
“Although the company established itself as a leader in checkout-free technology, it was not able to secure the funding it needed to continue providing service to its clients,” a spokesperson said in a statement to CNBC on Wednesday. “The company would like to thank its employees, investors, and clients for all their hard work and dedication.”
Food tech publication The Spoon reported earlier on Grabango’s closure.
Launched in 2016, Grabango was developing checkout-free technology that uses computer vision and machine learning to track and tally up items as shoppers grab them from store shelves. Will Glaser, Grabango’s founder and CEO, is a longtime Bay Area technologist who cofounded music streaming service Pandora.
Grabango raised just over $73 million, Pitchbook data shows, with its most sizable financing round coming in 2021, before the market turned. In June of that year, Grabango raised $39 million in a round led by Commerce Ventures, with participation from Peter Thiel’s Founders Fund as well as the venture arms of Unilever and Honeywell.
In February of this year, Glaser told Axios the company had plans to go public “in a couple of years at a $10 billion to $15 billion market cap.”
The IPO market has dried up since early 2022, with just three notable venture-backed companies debuting in the U.S. this year. The lack of liquidity has hammered the venture industry, making it harder for firms to launch new funds and for startups, outside of a select few AI companies, to raise capital.
Based in Berkeley, California, Grabango was seen as one of the primary rivals to Amazon’s cashierless checkout offering, called Just Walk Out. Other startups in the space include AiFi and Trigo.
Grabango had inked deals with grocers including Aldi and Giant Eagle, along with convenience store chains 7-Eleven and Circle K. Amazon has targeted its Just Walk Out service to convenience stores and retailers in airports, stadiums and hospitals, among other venues.
Amazon in April pulled its cashierless checkout technology from its U.S. Fresh stores and Whole Foods supermarkets. In a blog post following that decision, Glaser said Amazon’s reliance on shelf sensor technology in its JWO system had “proven to be its Achilles’ heel.” Glaser said Grabango eschewed shelf sensors in favor of computer vision which put it on a path for “widespread adoption.”
“This is a classic Tortoise and Hare parable, but with the players taking on surprising roles,” Glaser wrote. “The much larger Amazon lept to an early lead, but was unable to turn it into a sustained success. The more nimble Grabango, ironically, took the more difficult technical path, and is now reaping the benefits of its patience with a fundamentally more capable system.”
An independent contractor wearing a protective mask and gloves loads Amazon Prime grocery bags into a car outside a Whole Foods Market in Berkeley, California, on October 7, 2020.
David Paul Morris/Bloomberg via Getty Images
Amazonsaid Wednesday it’s testing adding mini warehouses to Whole Foods supermarkets as part of a bid to attract more shoppers to its stores and away from other grocery competitors.
The company is building a micro fulfillment center attached to a Whole Foods location in the Philadelphia suburb of Plymouth Meeting, Pennsylvania. Once the facility is operational within the next year, shoppers can order items from Amazon’s website and its online grocery service, Amazon Fresh, while browsing Whole Foods and pick it up in store as they’re checking out.
At a press event held near an Amazon warehouse in Nashville, Anand Varadarajan, who leads the product and technology teams for Amazon’s worldwide grocery business, showed a mockup of what the completed facility will look like. A small automated warehouse would be bolted onto a Whole Foods store, where robots fetch and ferry items like socks, soda bottles or tennis rackets and place them into bags for pickup by the shopper.
The arrangement would allow shoppers to buy staple goods from brands that aren’t carried at Whole Foods markets like Pepsi soda and Kellogg’s cereal, and tap into Amazon’s vast online catalog of items.
Amazon said it’s looking to “eliminate those extra trips” made by shoppers to other grocery stores. The average American shops at two different grocery stores per week, whether to maximize their cost savings, shop from a broader range of products, or take advantage of different promotions at each store, according to an April study from market research firm Drive Research.
“Customers shopping at Whole Foods Market today are looking for natural and organic products,” Varadarajan said during a presentation on Wednesday. “However, our data shows that many of them also visit additional stores to complete their regular grocery shopping needs. With our micro fulfillment center, we can reduce the need for our customers to visit different stores or make multiple online orders.”
Amazon has for years angled to gobble up a bigger share of the grocery market. It’s a category where Americans frequently spend money, more than other verticals like clothes or electronics. But Amazon also faces stiff competition from entrenched players like Walmart, Kroger and Albertsons, along with regional grocers.
In 2017, it spent $13.7 billion to acquire Whole Foods, a price tag more than 10 times higher than Amazon had paid in any prior deal. It’s also launched a growing stable of grocery offerings, including a grocery delivery service and its own supermarket chain, Amazon Fresh, aimed at the mass market.
Amazon CEO Andy Jassy has also said the company has a growing business selling “everyday essentials” like paper towels, dish soap and other items.
OpenAI is increasingly becoming a platform of choice for cyber actors looking to influence democratic elections across the globe.
In a 54-page report published Wednesday, the ChatGPT creator said that it’s disrupted “more than 20 operations and deceptive networks from around the world that attempted to use our models.” The threats ranged from AI-generated website articles to social media posts by fake accounts.
The company said its update on “influence and cyber operations” was intended to provide a “snapshot” of what it’s seeing and to identify “an initial set of trends that we believe can inform debate on how AI fits into the broader threat landscape.”
OpenAI’s report lands less than a month before the U.S. presidential election. Beyond the U.S., it’s a significant year for elections worldwide, with contests taking place that affect upward of 4 billion people in more than 40 countries. The rise of AI-generated content has led to serious election-related misinformation concerns, with the number of deepfakes that have been created increasing 900% year over year, according to data from Clarity, a machine learning firm.
Misinformation in elections is not a new phenomenon. It’s been a major problem dating back to the 2016 U.S. presidential campaign, when Russian actors found cheap and easy ways to spread false content across social platforms. In 2020, social networks were inundated with misinformation on Covid vaccines and election fraud.
Lawmakers’ concerns today are more focused on the rise in generative AI, which took off in late 2022 with the launch of ChatGPT and is now being adopted by companies of all sizes.
OpenAI wrote in its report that election-related uses of AI “ranged in complexity from simple requests for content generation, to complex, multi-stage efforts to analyze and reply to social media posts.” The social media content related mostly to elections in the U.S. and Rwanda, and to a lesser extent, elections in India and the EU, OpenAI said.
In late August, an Iranian operation used OpenAI’s products to generate “long-form articles” and social media comments about the U.S. election, as well as other topics, but the company said the majority of identified posts received few or no likes, shares and comments. In July, the company banned ChatGPT accounts in Rwanda that were posting election-related comments on X. And in May, an Israeli company used ChatGPT to generate social media comments about elections in India. OpenAI wrote that it was able to address the case within less than 24 hours.
In June, OpenAI addressed a covert operation that used its products to generate comments about the European Parliament elections in France, and politics in the U.S., Germany, Italy and Poland. The company said that while most social media posts it identified received few likes or shares, some real people did reply to the AI-generated posts.
None of the election-related operations were able to attract “viral engagement” or build “sustained audiences” via the use of ChatGPT and OpenAI’s other tools, the company wrote.