Ready-to-use bitcoin ATM malware found for sale online

The $25,000 malware comes on a faux bank card, and it can steal from a bitcoin ATM, according to Trend Micro.

Hackers are selling malware that can purportedly steal thousands of dollars from bitcoin ATM’s, according to a Japanese cybersecurity company Trend Micro.

In a blog post published Tuesday, Trend Micro shows posts by an apparently reputable user in an underground online forum, claiming to have malware that exploits a service vulnerability in a ATM in order to steal up to $6,750 worth of bitcoin from the machine.

The main posting is dated June 25, 2018, and Trend Micro shows people on the forum discussing the offering at least a month later. For $25,000, the buyer gets the malware as well as a bank-style card loaded with the malicious code. The card is said to employ two different technologies for potentially communicating with machine: an EMV chip like those in most modern credit cards, and a near-field communication (NFC) capability for wireless access.

Trend Micro says that, according to other comments on the forum, the malware works by exploiting a menu vulnerability to disconnect the bitcoin ATM from the network to avoid triggering any alarms.

A detailed listing on an underground forum for the bitcoin ATM malware (Trend Micro)

The seller appears to be established and popular, according to Trend Micro, having amassed more than 100 online reviews for the bitcoin ATM malware as well as other financial cybercrime products and services.

Hackers have used a multitude of ways to acquire cryptocurrency, such as cryptojacking and phishing for coin wallet credentials. And traditional ATMs have long been the targets of cybercrime, such as jackpotting and using card skimmers to steal unsuspecting users’ information. Naturally, there’s now a convergence.

Trend Micro suggests that the emergence of bitcoin ATM malware is only a natural progression for cybercrime surrounding cryptocurrencies.

“With the increasing popularity and real-world use of cryptocurrencies and the fact that cybercriminals will always try to exploit something that can make money for them, mining malware has been prevalent in the past year,” Trend Micro says. “It shouldn’t come as a surprise then that malware targeting Bitcoin ATMs will pop up in underground markets.”


According to tracking site Bitcoin ATM Radar, the number of bitcoin ATMs has spiked in recent years, with more than 3,500 of them around the world. Many of them can also carry out transactions for other cryptocurrencies. It’s not clear if the malware in question can steal in cyrptocurrencies other than bitcoin.

“As long as there is money to be made — and there is quite a bit of money in cryptocurrencies — cybercriminals will continue to devise tools and to expand to lucrative new ‘markets.’”

Latest Podcasts