Over St. Patrick’s Day weekend, unidentified hackers stole more than $1.6 million in cryptocurrency from Bitcoin ATMs owned by General Bytes.

In what the ATM owner called a security incident of the highest severity, threat actors were able to exploit a zero-day flaw by uploading “his own java application remotely via the master service interface used by terminals to upload videos, and run it using batm user privileges,” the advisory released by General Bytes stated.

Once the attackers were able to accomplish this, they secured access to the database, where they were able to “read and decrypt API keys used to access funds in hot wallets and exchanges, send funds from hot wallets, and download usernames, password hashes” as well as turn off the two-factor authentication (2FA) feature. 

This cryptocurrency-related breach is the second aimed at General Bytes in under a year, the last of which occurred less than a year ago, in August.

Though the company has stated that it has run multiple security audits since 2021, this was a vulnerability that was never caught. General Bytes advises its terminal operator customers to keep their servers behind firewalls and VPNs, as well as assume that the passwords and API keys to exchanges and hot wallets used by end users are compromised — and should be changed accordingly.