Full Report
The FBI says Americans have lost over $388 million last year to scams using cryptocurrency kiosks, also known as crypto ATMs or Bitcoin ATMs. [...]
Analysis Summary
# Incident Report: Surge in Cryptocurrency Kiosk Fraud (2025)
## Executive Summary
In 2025, the FBI’s Internet Crime Complaint Center (IC3) recorded a massive surge in fraud involving cryptocurrency kiosks (Bitcoin ATMs), resulting in over $388 million in losses across 13,400 complaints. The majority of victims were individuals over the age of 50, with attackers leveraging social engineering to coerce victims into making physical cash deposits that were instantly transferred to criminal-controlled wallets.
## Incident Details
- **Discovery Date:** Ongoing (Reported May 19, 2026)
- **Incident Date:** Full year 2025
- **Affected Organization:** General Public (specifically high-risk demographics over age 50)
- **Sector:** Financial / Cryptocurrency
- **Geography:** United States (Highest impact in Texas, Florida, and California)
## Timeline of Events
### Initial Access
- **Date/Time:** Various (Year 2025)
- **Vector:** Social Engineering (Phishing, Vishing, Impersonation)
- **Details:** Attackers contacted victims via phone or online platforms, often impersonating government officials, law enforcement, or technical support entities.
### Lateral Movement
- **N/A:** As these are social engineering attacks against individuals, movement involves "Real-world Lateral Movement" where attackers guide victims from their bank accounts to physical crypto ATM locations.
### Data Exfiltration/Impact
- **Loss of Funds:** Victims withdrew cash from traditional bank accounts and deposited them into crypto kiosks.
- **Immediate Transfer:** Funds were converted to cryptocurrency and sent to attacker-controlled wallets via scanned QR codes provided by the criminals.
### Detection & Response
- **Detection:** Identified through victim complaints filed with the IC3.
- **Response Actions:** The FBI issued public service announcements; several states (MN, IN, TN) implemented legislative bans or restrictions on cryptocurrency kiosks.
## Attack Methodology
- **Initial Access:** Social engineering (impersonation of trusted authorities).
- **Persistence:** High-pressure tactics to keep the victim on the phone until the transaction is complete.
- **Privilege Escalation:** N/A.
- **Defense Evasion:** Use of cryptocurrency to bypass traditional banking "red flags" and wire transfer delays; instructions to victims to ignore kiosk operator warnings.
- **Credential Access:** N/A.
- **Discovery:** Selection of vulnerable demographics (individuals over 50).
- **Lateral Movement:** Directing victims to physical locations (gas stations, convenience stores).
- **Collection:** Physical cash collection via kiosk hardware.
- **Exfiltration:** Blockchain transfers to obfuscated or offshore wallets.
- **Impact:** Financial devastation of individual victims.
## Impact Assessment
- **Financial:** $388 million in total losses (58% increase from 2024).
- **Data Breach:** Exposure of personal identifiable information (PII) during social engineering phases.
- **Operational:** Disruption of individual livelihoods; strain on law enforcement resources.
- **Reputational:** Decreased trust in cryptocurrency kiosk industry and digital assets.
## Indicators of Compromise
- **Network indicators:** N/A (Physical interaction).
- **File indicators:** N/A.
- **Behavioral indicators:**
- Unsolicited requests for payment via cryptocurrency.
- Demands for immediate action while remaining on a phone call.
- Instructions to withdraw large sums of cash and visit a retail location.
- Provision of QR codes for "safe" wallets or "government" accounts.
## Response Actions
- **Containment:** State-level legislative bans on crypto kiosks in Minnesota, Indiana, and Tennessee.
- **Eradication:** FBI IC3 tracking and potential seizure of wallets (where possible).
- **Recovery:** Public awareness campaigns and educational outreach by the FBI.
## Lessons Learned
- **The "Validation Gap":** Many kiosks lack sufficient identity verification or cooling-off periods to prevent immediate fraud.
- **Demographic Targeting:** Older populations remain the primary target for high-value social engineering due to a lack of familiarity with crypto-asset mechanics.
- **Speed of Fraud:** The instantaneous nature of crypto transfers makes fund recovery nearly impossible once the "Send" button is pressed.
## Recommendations
- **Legislative:** Implement mandatory "fraud warnings" on kiosk screens and 24-hour delays for large first-time transactions.
- **Technical:** Kiosk operators should implement stricter KYC (Know Your Customer) protocols and block known high-risk or "scam-associated" wallet addresses.
- **Individual:**
- Never follow payment instructions involving QR codes provided by strangers.
- Verify all government/law enforcement claims through official, independently sourced phone numbers.
- Treat cryptocurrency like cash; once it is sent, it cannot be reversed.