Bitcoin Depot Reports $3.7M Hack as Regulatory Pressure Mounts
The largest Bitcoin ATM operator, Bitcoin Depot, disclosed the theft of 50.9 BTC from its corporate wallets. The breach comes amid heightened regulatory scrutiny and declining financial performance.
Bitcoin Depot, the world's largest Bitcoin ATM operator, has confirmed that a hacker breached its IT systems and drained 50.9 BTC — approximately $3.66 million — from the company's corporate cryptocurrency wallets. The incident was disclosed in a filing submitted to the U.S. Securities and Exchange Commission (SEC) on April 8.
How the Breach Unfolded
On March 23, an unauthorized actor gained access to Bitcoin Depot's IT infrastructure and seized control of the company's cryptocurrency accounts, ultimately transferring out 50.9 BTC. Upon detecting the breach, Bitcoin Depot activated its incident response protocols, engaged external cybersecurity experts, and notified law enforcement.
The company stated that no customer data or personal information was compromised in the attack. An investigation involving third-party specialists remains ongoing. Bitcoin Depot noted that insurance may cover a portion of the losses but cautioned that "there is no guarantee that this will be sufficient to cover all losses."
Why This Matters
The hack targeting Bitcoin Depot underscores the vulnerability of even publicly traded, regulated players in the crypto infrastructure space. As the largest operator of Bitcoin ATMs, the company's security incident raises broader concerns about the resilience of crypto-physical service providers. The breach arrives at a particularly challenging moment for the industry — 666 Bitcoin ATMs have been shut down across the U.S. since the start of 2026, reflecting a sector in flux.
Mounting Regulatory Challenges
The cyberattack occurred against a backdrop of intensifying regulatory scrutiny. In March, Connecticut authorities suspended Bitcoin Depot's money transmission license after discovering the operator had exceeded the state's 15% fee cap on 1,015 transactions. As a result, 510 customers were overcharged by a total of approximately $150,426.
The broader wave of Bitcoin ATM shutdowns across the United States began in March 2025, following a bill introduced by Illinois Senator Dick Durbin aimed at combating fraud associated with cryptocurrency kiosks. The closures have accelerated since then.
Financial Performance Under Pressure
Bitcoin Depot's financial results paint a challenging picture. The company reported net income of $4.7 million for 2025, down from $7.8 million in the prior reporting period. Management expects core business revenue to decline by 30–40% in the current year due to state-level regulatory requirements and tightened compliance standards.
The company acknowledged that while its anti-fraud measures have been effective in reducing consumer scams and protecting clients, these same efforts are expected to result in significantly lower revenue compared to previous years.
Despite the negative news, Bitcoin Depot's stock rose 15.6% on April 8 to close at $2.74. However, the shares have plummeted 88% over the past six months.
The incident follows a broader trend of turmoil among Bitcoin ATM operators. In November 2025, rival operator Crypto Dispensers announced the sale of its business for $100 million amid criminal prosecution of its CEO.
Frequently Asked Questions
How much was stolen in the Bitcoin Depot hack?
Hackers stole 50.9 BTC, valued at approximately $3.66 million, from Bitcoin Depot's corporate wallets. The breach occurred on March 23 and was disclosed to the SEC on April 8.
Were Bitcoin Depot customers affected by the hack?
No, the company confirmed that no customer data or personal information was compromised. Only corporate cryptocurrency wallets were targeted in the attack.
Why are Bitcoin ATMs being shut down in the US?
A wave of closures began in March 2025 following a bill by Illinois Senator Dick Durbin targeting fraud at crypto kiosks. Since the start of 2026, 666 Bitcoin ATMs have been shut down across the country.
What happened to Bitcoin Depot's stock after the hack?
Bitcoin Depot shares actually rose 15.6% on April 8, closing at $2.74. However, the stock has declined 88% over the past six months, reflecting broader challenges facing the company.
Why was Bitcoin Depot's license suspended in Connecticut?
Connecticut regulators found that Bitcoin Depot exceeded the state's 15% fee cap on 1,015 transactions, resulting in approximately $150,426 in overcharges to 510 customers. The money transmission license was subsequently suspended.
Read also
Drift Protocol on Solana Hacked for $280M in Sophisticated Durable Nonce Attack
Solana-based DeFi platform Drift Protocol lost at least $280 million in a hack on April 1. The DRIFT token dropped 37% while Circle faces criticism for failing to freeze stolen USDC.
AI Audit Uncovers Critical Liveness Bug in Ethereum's Nethermind Client
Octane Security's AI discovered a high-severity vulnerability in the Nethermind execution client that could have halted block production for 38% of Ethereum mainnet validators. The Ethereum Foundation awarded a maximum $50,000 bounty.
April 2026 Sets All-Time Record for Number of Crypto Hacks
April 2026 saw a record-breaking 24 crypto hacks resulting in approximately $651 million in total losses. Kelp and Drift Protocol suffered the largest exploits.
US DOJ Seizes Over $580M in Crypto Linked to Chinese Criminal Organizations
The U.S. Department of Justice seized more than $580 million in cryptocurrency tied to Chinese criminal organizations, marking one of the largest crypto enforcement actions in history.
Drift Protocol Hack Victims File Class Action Lawsuit Against Circle Over $230M in USDC
Over 100 victims of the Drift Protocol exploit have filed a class action lawsuit against Circle in Massachusetts court, accusing the USDC issuer of negligence and enabling hackers.
GPU Memory Attacks, $21B in Cybercrime Losses, and Chrome's Chip-Level Protection: Cybersecurity Roundup
The FBI reported record $21 billion in cybercrime losses for 2025, Google introduced hardware-bound session protection in Chrome, and researchers demonstrated three new attack methods targeting Nvidia GPU memory.