Bitcoin Depot loses 50.9 BTC after attackers pivot through corporate IT

Bitcoin Depot, operator of more than 25,000 crypto ATMs, disclosed in an SEC filing that intruders breached its corporate IT environment on March 23, 2026 and moved roughly 50.903 BTC — about $3.665 million — out of company-controlled wallets before access was cut. The attackers obtained credentials to digital asset settlement accounts during the dwell time between initial access and containment, indicating the wallet theft was an extension of a broader credential compromise rather than a direct key extraction.

The company says the incident was scoped to its corporate environment and did not reach customer platforms or production systems, and it has engaged external responders and notified law enforcement. Cyber insurance is in place but Bitcoin Depot has explicitly warned it may not cover the full loss, and on April 6 it formally classified the event as material given regulatory, legal and reputational exposure.

This is the second disclosed security failure at Bitcoin Depot inside two years, following a 2024 breach that exposed PII for nearly 26,000 customers, and it lands in a pattern that already includes Byte Federal’s December 2024 compromise of 58,000 customer records. The recurring failure mode at crypto ATM operators is the corporate-to-treasury bridge: settlement wallet credentials sitting inside reachable IT estates, where one phishing or endpoint compromise converts directly into irreversible on-chain loss.