Crypto ATM operator Bitcoin Depot has disclosed that a hacker stole approximately 50.9 Bitcoin valued at around $3.7 million after gaining unauthorized access to internal systems. The company revealed the breach in a filing with the US Securities and Exchange Commission on Monday. According to the filing, the attacker obtained credentials tied to Bitcoin Depot’s corporate Bitcoin wallets on March 23. The company stated that customer accounts, platforms, and personal data were not compromised.
Bitcoin Depot says the incident has not significantly disrupted its day-to-day operations and notes that it carries insurance that may offset a portion of the financial losses. The company acknowledged, however, that the full extent of the breach remains unclear while the investigation continues. “As the investigation of the incident is ongoing, the full scope, nature and impact of the incident are not yet completely known,” the SEC filing states.
Despite the security incident, shares of Bitcoin Depot rose sharply following the disclosure. The stock closed at $2.74 on Wednesday, a gain of $0.37 or 15.61% for the day, according to data from Yahoo! Finance. Pre-market trading pushed the price further to $2.90, representing an additional increase of 5.84%.
The hack adds to a series of legal and regulatory challenges the company has been navigating across multiple US states. Regulators in Connecticut recently suspended Bitcoin Depot’s money transmission license and issued a temporary cease-and-desist order, citing violations including excessive fees and a failure to fully reimburse victims of scams. The company has also faced a lawsuit in Massachusetts alleging overcharging and facilitating fraudulent activity, and it paid $1.9 million in Maine to compensate affected customers.
This is not the first time Bitcoin Depot has dealt with a security incident. In June 2024, a separate data breach exposed the personal information of 26,732 customers. That breach was connected to an external system, and authorities did not clear the company to issue customer notifications until the investigation concluded in June 2025.
Broader pressure on crypto ATM operators is intensifying across the United States as fraud concerns grow. Stillwater, Minnesota, has enacted a ban on crypto ATMs after residents suffered significant financial losses to scams, while Spokane, Washington, introduced a citywide ban in June, describing the kiosks as a preferred tool for scammers following a rise in fraud cases. Haverhill, Massachusetts, is also weighing a ban through a proposed ordinance that cites fraud and money laundering risks, which would require all machines to be removed within 60 days if the measure is approved.
Originally reported by CoinTelegraph.
