Cybercriminals are selling Bitcoin ATM malware on the Dark Web

• The malware exploits a service vulnerability in Bitcoin ATMs and allows attackers to steal over $6,000 worth of bitcoins.
• The Bitcoin ATM malware is also capable of disconnecting a machine from the network, thereby disabling any security alarms.

The increasing popularity of cryptocurrencies has spurred several organizations in the financial services industry to make key changes and leverage new technologies designed to tap into the trend. This has resulted in the emergence of Bitcoin ATMs - machines that look similar to regular ATMs, but connect to cryptocurrency exchanges instead of bank accounts.

Although there are currently very few Bitcoin ATMs available globally, cybercriminals have already begun developing tools and malware to target these machines and steal digital currencies.

Security researchers at Trend Micro recently discovered a cybercriminal already selling a Bitcoin ATM malware on the dark web.

How do Bitcoin ATMs work?

Bitcoin ATMs do not employ the kind of security standards that regular ATMs incorporate.

For instance, Bitcoin ATMs use mobile numbers and ID cards for user identity verification rather than requiring a credit or debit card for transactions. Cryptocurrency users are required to enter their wallet address or scan a QR code. Moreover, the wallets used for digital fund storage and transactions are usually downloaded from apps and are not standardized. The combination of these issues pose a serious security problem.

Bitcoin ATM malware features

According to Trend Micro researchers, the Bitcoin ATM malware they discovered on the dark web comes with a ready-to-use card that contains EMV and NFC capabilities.

The malware exploits a host of vulnerabilities, allowing the malware’s operators to steal about 6,700 worth of cryptocurrency in US dollars, euros or pounds. The malware is currently being sold for $25,000.

“The number of reviews (over 100) shows that the seller has earned quite a large amount from various offerings, including this malware,” Trend Micro researchers said in a blog.

Alongside the Bitcoin ATM malware, the dark web seller has also been spotted selling other malware and compromised accounts, indicating that he likely is an experienced cybercriminal.

"What we can glean from this is that cybercriminals interested in amassing bitcoins and other cryptocurrencies are no longer limiting themselves to cryptomining malware," the researchers added. "As long as there is money to be made — and there is quite a bit of money in cryptocurrencies — cybercriminals will continue to devise tools and to expand to lucrative new ‘markets’. As the number of Bitcoin ATMs grows, we can expect to see more forms of malware targeting cryptocurrency ATMs in the future."