Whoops! Bitcoin Depot is reportedly informing nearly 27,000 users of its crypto-dispensing ATMs that someone made off with their personal information in June 2024.
For the uninitiated: unlike traditional ATMs, which transform some of the make-believe money in a bank account into cold hard cash, a Bitcoin ATM converts said cash into the make-believe money people can leave untouched in their cryptocurrency wallets until they finally decide they'd rather have billions of dollars.
BleepingComputer reports that Bitcoin Depot has sent letters to tens of thousands of its users, informing them of a breach that compromised their names, addresses, email addresses, phone numbers, dates of birth, and driver's license numbers. A copy of the letter (PDF) published by the Office of the Maine Attorney General explains:
"On June 23, 2024, Bitcoin Depot, Inc. detected unusual activity on its information systems and immediately commenced an investigation, which included engaging third-party incident response experts to assist in determining the extent of any unauthorized activity. On July 18, 2024, the investigation was complete, and we identified your personal information contained within documents related to certain of our customers that the unauthorized individual obtained. Unfortunately, we were not able to inform you sooner due to an ongoing investigation. Federal law enforcement requested that Bitcoin Depot wait to provide you notice until after they completed the investigation. Law enforcement advised Bitcoin Depot on June 13, 2025, that their investigation was complete."
The letter is dated July 7; it's not clear why it took Bitcoin Depot nearly a month to start notifying customers of the breach after it received the all-clear from whichever law enforcement organization was handling the investigation. (Not that a few weeks makes that big a difference when discussing an incident that occurred a year ago.)
That's obviously a bummer for the people affected by this incident. But for outside observers, it's probably much more interesting how this breach highlights the weird regulatory space in which cryptocurrency-focused companies operate.
Bitcoin Depot only had to gather this information because of Know Your Customer laws, and, as explained above, it was also required to cooperate with law enforcement. Yet the company doesn't have to provide identity theft protection services, which is the token mea culpa most U.S. businesses have to offer when they leak data like this.
There's also the irony of people having their personal information compromised because they purchased a cryptocurrency that supposedly offers anonymous transactions. (Even though it popularized the idea of the blockchain, which is specifically designed to keep a distributed, immutable record of every transaction.)
So, we have some 27,000 people who had to share their info with Bitcoin Depot because of U.S. regulations and who didn't hear about the breach for over a year because of U.S. law enforcement, but because they were purchasing a cryptocurrency, they won't be afforded the usual protections.
Cha-ching!
Follow Tom's Hardware on Google News to get our up-to-date news, analysis, and reviews in your feeds. Make sure to click the Follow button.
