Bitcoin Depot, the largest crypto ATM operator in the United States, reported a security breach that resulted in the theft of $3.7 million worth of bitcoin from company-controlled wallets. The company identified unauthorized access to its systems on March 23 and traced the incident to an attacker who obtained credentials linked to its crypto settlement accounts.
Incident details and company response
Bitcoin Depot, which is listed on Nasdaq, revealed in a regulatory filing that the attacker managed to transfer approximately 50.9 bitcoin from the company’s settlement accounts. Internal investigations confirmed that the intrusion was limited to the corporate environment, with no customer platforms, systems, or data affected during the breach.
After discovering the unauthorized access, Bitcoin Depot immediately initiated its incident response protocols, brought in external cybersecurity experts, and notified law enforcement. A preliminary loss estimate of $3.665 million has been recorded, subject to revision as the investigation evolves.
Insurance coverage may mitigate some of the financial impact, but Bitcoin Depot mentioned there is no certainty that all stolen assets will be recovered. Beyond financial loss, the company expects to face ongoing costs related to legal, regulatory, and reputational issues as a result of the incident.
A spokesperson from Bitcoin Depot emphasized the company’s actions in the immediate aftermath:
Upon detection, the company promptly activated its incident response protocols, engaged external cybersecurity experts, and notified law enforcement.
Operational impact and ongoing challenges
Founded in 2016 and based in Atlanta, Bitcoin Depot operates over 9,000 bitcoin ATMs in 47 U.S. states, representing the largest network of crypto ATMs in the country. The company announced that it does not expect the breach to have a material impact on daily operations, though it acknowledged additional risks and costs could arise from regulatory scrutiny or loss of customer confidence.
This cyberattack adds to a growing list of security incidents affecting crypto businesses this year, highlighting ongoing vulnerabilities facing exchanges and custodial services. Bitcoin Depot’s disclosure comes at a time of broader business challenges, including increased regulatory pressure and financial headwinds.
In March, Connecticut authorities suspended Bitcoin Depot’s money transmission license, citing fees that exceeded the state’s 15% cap on more than 1,000 transactions. Officials reported that over 500 customers paid a total of $150,000 in excessive fees as a result.
The company also experienced a recent leadership change, appointing Alex Holmes as chairman and CEO. Holmes previously led MoneyGram International and managed its acquisition by Madison Dearborn Partners, signaling a shift in the company’s strategic direction.
Financial results have reflected mounting challenges. Bitcoin Depot reported net income of $4.7 million in 2025, down from $7.8 million a year earlier. The firm also forecasted a potential revenue decrease of 30% to 40% in 2026, pointing to tightening state regulations and increased compliance obligations.
While the company’s fraud prevention measures have limited customer impact during the hack, Bitcoin Depot expects these controls to further dampen transaction volume and overall revenue moving forward. As of today, its shares are trading at $2.58.
