The crypto ATM operator kept the leak quiet for over a year, citing federal procedures and law enforcement investigations.
According to a recent filing with the Maine Attorney General’s office, the breach was first detected on June 23, 2024, when Bitcoin Depot identified suspicious activity on its information systems. The firm deployed an investigation in response, engaging third-party security experts to determine the extent of the breach.
On July 18, 2024, the investigation confirmed that a hacker had accessed documents containing the personal data of 26,732 customers. The stolen information included names, phone numbers, and driver’s license numbers. In some cases, it also included home addresses, birth dates, and email addresses.
Bitcoin Depot said it was unable to notify affected users earlier due to an ongoing federal investigation. The disclosure hold was only lifted on June 13, 2025, when law enforcement confirmed that their investigation had concluded.
The company emphasized that there is no evidence so far that the exposed data has been misused, and is offering support to affected individuals. It has also implemented new security measures, improved system monitoring, and increased internal awareness to help prevent future incidents.
Users are advised to stay vigilant over the next 12 to 24 months and urged to monitor financial accounts, review credit reports, and report any suspicious activity or signs of identity theft immediately.
The breach comes amid a wave of targeted attacks on crypto service providers, as threat actors continue to evolve their tactics to prey on unsuspecting individuals and entities. It echoes a similar December 2024 breach on rival crypto ATM operator Byte Federal, which exposed personal data of more than 58,000 users.
Bitcoin Depot is currently the largest crypto ATM operator in the United States, with a network of over 8,000 kiosks nationwide.
