Bitcoin Depot disclosed a $3.665 million Bitcoin theft in an SEC 8-K filed on April 8. The Atlanta-based ATM operator said an unauthorized actor took control of credentials for its digital asset settlement accounts. The attacker moved approximately 50.903 Bitcoin out of company wallets without authorization.
On-chain investigator ZachXBT contradicted the filing's timeline within 24 hours. The filing covers an Item 1.05 material cybersecurity incident under the SEC's December 2023 disclosure rule. General Counsel Christopher Ryan signed it on behalf of Bitcoin Depot Inc., which trades on the Nasdaq under ticker BTM.
The company discovered the intrusion on March 23 and determined materiality on April 6. Bitcoin Depot submitted the 8-K two business days after the materiality determination. The filing puts the loss at 50.903 Bitcoin worth $3.665 million as of the report date. Bitcoin Depot says the incident was contained to its corporate environment and did not affect customer platforms, divisions, systems, data, or environments.
Bitcoin Depot has found no evidence that customer PII was accessed or exfiltrated, though the investigation continues.
The 14-day gap between detection and materiality determination is structural to the SEC rule. Item 1.05 requires disclosure within four business days after a registrant determines an incident is material, not after the incident occurs or is discovered. The rule sets no deadline on the materiality determination itself. Bitcoin Depot's filing on April 8 falls within the four-business-day window from the April 6 determination, complying with the rule as written. The detection gap surfaced within 24 hours of the filing.
ZachXBT published an on-chain trace on X on April 9. The independent investigator placed the actual outflow three days earlier than the company's discovery date. The funds went to KuCoin deposit addresses, according to the trace. Bitcoin Depot's 8-K does not specify when the unauthorized transfer actually occurred on-chain, only the date the company discovered it.
Based on the 8K filing it seems it took 3 days for the BitcoinDepot team to notice the $3.6M was stolen. I traced it out and the suspicious outflows actually occurred on March 20 and the funds were transferred to Kucoin deposit addresses.
— ZachXBT, on-chain investigator
The destination pattern is forensically unusual for a sophisticated operation. KuCoin runs KYC verification, which makes deposit addresses traceable to identified user records. Sophisticated nation-state laundering operations typically route stolen crypto through mixers, ThorChain, eXch, or non-KYC instant exchangers.
A KYC-bound exchange is the last destination Lazarus would pick. The KuCoin endpoint looks more like opportunistic credential theft than nation-state laundering tradecraft, and that distinction shapes who to look for and how recoverable the funds are.
The 8-K leaves several material details unaddressed. The filing does not name the credential compromise vector, the third-party incident response firm, or the law enforcement agencies notified. It does not say whether the settlement accounts were self-custodied or held with a third-party provider. The filing stays silent on existing wallet controls and whether any of the stolen Bitcoin has been recovered or frozen at KuCoin.
Bitcoin Depot's CEO transition shares the same effective date as the breach discovery. On March 24, the company announced that Scott Buchanan had resigned as Chief Executive Officer with W. Alexander Holmes appointed Chairman and CEO effective March 23. The press release said Buchanan stepped down to pursue an opportunity outside the company, "not due to any disagreement" over operations, policies, or practices. That phrasing is the standard SEC formulation indicating the departure is unconnected to internal control issues or pending disclosure events.
Holmes was already a director on the Bitcoin Depot board before the appointment. He joined from MoneyGram International, where he served as Chairman and CEO from 2016 to 2024. Founder Brandon Mintz also stepped down as Executive Chairman on March 23, remaining on the board as a non-executive director and advisor.
This is Bitcoin Depot's second material cybersecurity incident in two years. In 2024, the company detected unauthorized access to systems holding personal information on 26,732 customers. The exposed data included names, phone numbers, driver's license numbers, and in some cases physical addresses, dates of birth, and email addresses. That earlier breach was disclosed in July 2025, approximately 13 months after detection, after federal law enforcement requested a notification delay during a parallel investigation.
A class action over the 2024 incident remains pending in Georgia. Plaintiff Quincey Hall filed the complaint in August 2025. The complaint alleges Bitcoin Depot failed to safeguard customer data. Plaintiffs claim negligence, breach of implied contract, and violation of the Georgia Fair Business Practices Act.
The two incidents target different layers of the same business. The 2024 attackers went after KYC data, the customer pile that crypto ATM operators are required to collect under FinCEN compliance. The 2026 attackers went after corporate treasury, the wallets where Bitcoin Depot holds Bitcoin destined for the ATM network.
Both targets are predictable for a Bitcoin ATM operator. They are difficult to engineer away without changing how the kiosks work.
The breach lands in the middle of a turbulent five months for Bitcoin Depot. In November 2025, an arbitration tribunal awarded $18.47 million to Cash Cloud, Inc. against Bitcoin Depot's Canadian subsidiary BitAccess. The dispute concerned alleged hardware and software performance failures under a 2020 Master Purchase Agreement. In February 2026, the company executed a reverse stock split, reducing Class A Common Stock from approximately 35.5 million to 5.07 million shares.
Bitcoin Depot reported full-year 2025 revenue of $614.9 million on March 16. Reverse stock splits are typically used to maintain Nasdaq minimum bid price requirements.
Bitcoin Depot is not the first crypto ATM operator to disclose a major incident in this cycle. In December 2024, Byte Federal disclosed a breach affecting 58,000 customers, caused by attackers exploiting a GitLab vulnerability on a server hosting customer information. Byte Federal subsequently agreed to a class action settlement over the same incident.
Crypto ATM operators carry the regulatory burden of a financial institution and the operational target surface of a crypto exchange. PII piles and treasury wallets end up inside the same blast radius, and Bitcoin Depot's two incidents in two years are the predictable result.
Two questions matter for the broader cybersecurity audience and remain unanswered after the filing. The first is the credential compromise vector. The Bitcoin Depot wording covers a wide range of possibilities. Phishing, infostealer log purchases, identity provider compromise, malicious browser extensions, and credential reuse from unrelated breaches all fit the description. Whichever vector applies, it determines what other crypto ATM operators should be hardening.
The second question is detection latency. If the March 20 outflow date is correct, Bitcoin Depot's monitoring did not flag a $3.6 million transfer for 72 hours. For a company whose core business is moving Bitcoin between wallets, that detection gap is the operational story underneath the financial loss.
Customers affected by the 2024 breach are a separate population from this incident. The 8-K states that customer platforms, data, and environments were not affected by the 2026 attack. No evidence of customer PII access has been identified. The standard recommendations from the earlier breach still apply for the 26,732 individuals notified beginning in July 2025.
Affected individuals should monitor credit reports and consider fraud alerts or security freezes. They should also treat unsolicited contact claiming to be from Bitcoin Depot with skepticism.
Have a story? Become a contributor.
We work with independent researchers and cybersecurity professionals. Send us a tip or submit your article for editorial review.
