Bitcoin Depot Loses $3.6M in BTC After Credential Breach in April 2026

Bitcoin Depot, the largest Bitcoin ATM operator in the U.S., disclosed in an SEC 8-K filing on April 8 that attackers stole 50.9 BTC from its corporate settlement wallets. On-chain investigator ZachXBT traced the actual outflows to March 20 and found 54.45 BTC routed to KuCoin deposit addresses - 3.55 BTC more than the company reported.

Get stories like this before the market moves. Subscribe to Web Snack - your daily 5-minute crypto briefing.

Context

Bitcoin Depot (NASDAQ: BTM) operates more than 9,000 cryptocurrency kiosks across 47 U.S. states and reported $614.9 million in revenue for 2025. The Atlanta-based company went through a leadership overhaul on March 24, when CEO Scott Buchanan resigned and former MoneyGram chief Alex Holmes was appointed Chairman and CEO.

The CEO swap landed one day after the company says it discovered the breach. Buchanan had formally submitted his resignation on March 19, effective March 23 - the same date the hack surfaced internally. Founder Brandon Mintz also stepped down as executive chairman, moving to a non-executive board seat.

This is not Bitcoin Depot's first security failure. A breach detected in June 2023 exposed KYC data of 26,732 customers, including names, phone numbers, driver's license numbers, and home addresses. Bitcoin Depot waited until July 2025 to notify victims, blaming a federal law enforcement hold on disclosure.

Details

According to the SEC filing, attackers gained access to Bitcoin Depot's IT systems and obtained credentials tied to its digital asset settlement accounts. They transferred 50.903 BTC from company-controlled wallets, valued at roughly $3.665 million at the time of the theft. Bitcoin Depot recorded a preliminary estimated loss of $3.665 million, noting the final figure may change.

ZachXBT published on-chain findings on April 9 showing the theft started on March 20 - three days before Bitcoin Depot says it noticed. "Based on the 8K filing it seems it took 3 days for the BitcoinDepot team to notice the $3.6M was stolen" - ZachXBT, on-chain investigator. He traced 54.45 BTC total flowing to KuCoin deposit addresses and flagged that none of the theft addresses had been reported in compliance tools at the time of his post.

The 3.55 BTC gap between ZachXBT's total and the SEC filing figure suggests employee personal accounts may have also been compromised. "A delta of 3.55 BTC (54.45 BTC total) vs 50.9 BTC reported was found indicating other employee personal accounts may have also been impacted" - ZachXBT, on-chain investigator.

Impact

Bitcoin Depot said the breach was contained to its corporate environment and did not affect customer platforms, data, or ATM operations. No evidence of customer data exfiltration has been found so far. The company has hired external cybersecurity specialists and notified law enforcement.

Still, the damage goes beyond $3.6 million. BTM shares hit an all-time low of $2.00 on March 27 and have dropped roughly 88% over the past six months. The company warned in its filing that the incident could trigger reputational harm, legal costs, and regulatory scrutiny. Its cybersecurity insurance may not cover the full loss.

Bitcoin Depot is far from alone. Chainalysis reported $3.4 billion stolen from crypto companies in 2025. In 2026, hacks have already claimed $280 million from Drift and tens of millions from other protocols. Bitcoin ATM operators sit in a uniquely exposed position: they hold large BTC reserves for customer transactions while bridging physical cash infrastructure with digital custody systems.

Next Steps

Bitcoin Depot's forensic investigation remains ongoing. The company is working with third-party specialists to determine how attackers compromised settlement credentials and whether other systems were affected. No timeline for the investigation's completion has been disclosed.

New CEO Alex Holmes walked into the job and inherited a security crisis. The company projects a 30-40% drop in core revenue for 2026 due to state regulatory pressure, including a halt to ATM operations in Connecticut. Holmes, who oversaw MoneyGram's $2 billion sale to Madison Dearborn Partners, was brought in for his compliance and regulatory track record.

ZachXBT's finding that the stolen BTC flowed to KuCoin complicates recovery. The exchange has faced criticism for its use by illicit actors, though it does maintain KYC requirements. Law enforcement may attempt to freeze funds through KuCoin's compliance channels, but the BTC has likely already been moved or mixed.

Stay ahead of hacks, regulation, and market moves. Join readers who start their day with Web Snack.

P.S. This article is for informational purposes only and does not constitute investment advice. Always conduct your own research and make independent decisions.