Cryptocurrency ATM firm Bitcoin Depot suffered a cyberattack on March 23, during which over $3.6 million was stolen. 

In a filing with the SEC, Bitcoin Depot disclosed that a threat actor accessed specific systems and obtained control over credentials associated with its digital asset settlement accounts. 

“As a result, the unauthorized actor transferred approximately 50.903 Bitcoin from company-controlled wallets, valued at approximately $3.665 million as of the date of this report, without authorization,” the company said. 

The company has brought in outside cybersecurity specialists to support the investigation, while also notifying law enforcement about the incident. 

According to Bitcoin Depot, no customer data appears to have been accessed or exfiltrated in the breach. Although the company does not anticipate disruptions to its operations, it informed the SEC citing possible repercussions such as reputational harm and associated legal, regulatory, and response expenses. 

Bitcoin Depot stated that the investigation is still underway and the complete impact of the incident has not been established, cautioning that its preliminary findings may be revised. 

As the largest cryptocurrency ATM company in the United States, Bitcoin Depot operates over 9,000 kiosks across 47 states, allowing users to exchange cash for Bitcoin. The firm recorded $614.9 million in revenue in 2025. 

Bitcoin Depot declined to comment on whether the breach is connected to a series of recent cryptocurrency thefts that have been making headlines in the last fortnight. 

One week ago, DeFi platform Drift reported a $280 million withdrawal amid a security breach, with the incident attributed to North Korean hackers. 

According to blockchain analytics company Chainalysis, cryptocurrency firms lost $3.4 billion to theft in 2025. So far in 2026, beyond the $280 million stolen from Drift last week, there have been further crypto thefts amounting to $26 million and $40 million.