30+
State bills introduced in 2026
20
States with crypto ATM laws since 2023
$20.86M
AARP federal lobbying spend (2025)
$333M
FBI-reported crypto ATM fraud losses, 2025
The Case for Enforcement Over Legislation
Before examining every state bill and every ban, it's worth establishing the argument that gets systematically buried in AARP's legislative testimony: existing consumer protection law, enforced aggressively by state attorneys general against specific bad actors, is a more targeted, more proportionate, and faster-acting tool than any new statute. The track record bears this out. The Massachusetts Attorney General filed a consumer protection and securities fraud lawsuit against Bitcoin Depot on February 3, 2025 — under existing law — alleging the company facilitated more than $10.6 million in scam transactions from customers depositing $10,000 or more, more than 80% of whom the AG alleged were fraud victims. No new legislation was required. The existing consumer protection statute was sufficient. Maine reached a consent agreement requiring Bitcoin Depot to pay $1.9 million to scam victims — again, under existing law. Iowa's Attorney General sued both Bitcoin Depot and CoinFlip using existing consumer protection authority, finding 98% or more of complaint-based transactions at both operators were scam-related. The DC Attorney General sued Athena Bitcoin under existing law, alleging 93% of flagged transactions were fraudulent. None of these actions required new legislation. They required political will and prosecutorial resources.Why AG enforcement beats new legislation:
- It targets bad actors specifically. A consumer protection lawsuit hits the operator who is actually facilitating fraud — not the one with a 0.7% scam rate serving unbanked communities.
- It moves faster. An AG can file a complaint, seek an injunction, and freeze bad-actor operations in months. A new statute takes a full legislative session, then another session to fix unintended consequences.
- It uses existing legal tools. Consumer protection statutes in every state already prohibit unfair, deceptive, or unconscionable acts. Knowingly facilitating fraud qualifies. No new definitions required.
- It avoids legislative drift. New legislation — as Kentucky's HB 380 demonstrated with its hardware wallet backdoor amendment — picks up riders and unintended provisions as it moves through the process.
- It creates deterrence without prohibition. A $1.9 million consent order against Bitcoin Depot in Maine changes operator behavior industry-wide. A ban eliminates legitimate operators along with predatory ones.
The State-by-State Landscape
That said, legislative activity is accelerating, and operators must understand where every major jurisdiction stands. AARP's national government affairs director Françoise Cleveland has stated publicly: "AARP is working in every state to ensure that criminals can no longer use crypto kiosks to steal money from victims." That language — "every state" — is not rhetorical. It is a strategic directive, executed by a lobbying apparatus that spent $20.86 million on federal influence operations in 2025 alone, before counting any state-level advocacy operations. The organization anticipated that "nearly every state that does not already have relevant statutes will consider legislation in 2026 or 2027." The legislative outcomes fall into three categories: outright bans, regulatory frameworks, and enforcement-only actions.States Pursuing or Enacting Full Bans
**Indiana (HB 1116)** — Signed March 9, 2026. Indiana became the first state in the nation to ban Bitcoin ATMs outright, eliminating approximately 900 kiosks. AARP provided "strong support." The same legislature, in the same session, authorized cryptocurrency investments for state pension funds — a contradiction worth sitting with. Cryptocurrency is apparently fine for pension fund managers but too dangerous for a retired teacher who wants to buy $500 of Bitcoin at a gas station. **Tennessee (HB 2505)** — Passed both chambers unanimously, awaiting the governor's signature. Would make operating a crypto kiosk a Class A misdemeanor effective July 1, 2026. AARP Tennessee called this its "main goal" for the 2026 session. **Massachusetts (S.804 + local bans)** — AARP Massachusetts is pushing a statewide ban following the Attorney General's lawsuit against Bitcoin Depot. The cities of Waltham and Haverhill have already enacted local bans. Haverhill's vote was 11-0 after three residents reported being defrauded of $20,000 combined. The MA lawsuit itself — filed under existing consumer protection law — is working exactly as enforcement should. The push for a statewide ban on top of it is a separate, more aggressive policy choice. **Minnesota (HF 3642)** — A total ban bill backed by AARP was laid over for future action after the House Commerce Committee co-chair expressed skepticism about a full prohibition approach. The state has approximately 350 licensed kiosks operated by eight companies. The Minnesota Department of Commerce cited 70 complaints and $540,000 in losses for 2025. What the hearing record also included — and what AARP's testimony did not highlight — was operator data that challenges the blanket narrative. **New Jersey (A3244)** — Would make operating crypto kiosks unlawful under the Consumer Fraud Act, with $10,000 first-offense fines and $20,000 for subsequent violations. **Hawaii (HB 1642 / SB 2387)** — HB 1642 advanced in the Senate, targeting a ban on cash-in crypto transactions. The City and County of Honolulu's Executive Office on Aging submitted testimony in "strong support" of SB 2387, endorsing $2,000/day and $10,000/month caps.States That Passed Regulatory Frameworks
**Virginia (SB 489)** — Signed into law, effective July 1, 2026. AARP called it a top 2026 priority. Requires licensing, daily transaction limits, and fraud warnings. Passed the House 84-13. **Rhode Island (HB 5121)** — Signed June 2025. AARP didn't just testify — it co-drafted the legislation, working directly with bill sponsors. Establishes a $1,000/day cap for new customers, fraud warnings, receipts, and quarterly operator reporting. **Illinois** — Multiple bills signed in 2025, including the Digital Assets Consumer Protection Act and the Digital Asset Kiosk Act. Provisions include an 18% fee cap, $2,500 daily limit for new customers, and full refunds for fraud victims. **Nebraska** — Statewide regulation signed in 2025 with AARP's direct advocacy. Local jurisdictions including Omaha and Grand Island enacted additional signage ordinances. **Wyoming** — Regulation bill signed with AARP support. Governor Gordon publicly praised AARP's work. Post-implementation data showed scam rates dropped to 1% of prior-year levels with a $1,000/day limit and a 3% fee cap. **Kentucky (HB 380)** — Passed the House 85-0, pending Senate action. Includes $2,000 daily cap, KYC requirements, and fee disclosure. A controversial late amendment (Section 33) would force hardware wallet manufacturers to maintain live customer service and provide mechanisms to recover seed phrases — a provision that directly conflicts with Kentucky's own 2025 self-custody protection law (HB 701) and has drawn sharp criticism from the self-custody community. This is exactly the kind of legislative drift that AG enforcement avoids. **Vermont** — Moratorium on new kiosks extended through July 1, 2026.States With Pending or Stalled Legislation
**Washington (SB 5280)** — Passed the Senate but died in the House committee. AARP Washington issued a statement condemning the House for putting "crypto kiosk profits ahead of public safety." **Ohio (HB 648, ELDER Act)** — In committee as of March 2026. Would require money transmitter licensing and uniform standards. **Missouri (HB 3043)** — Read second time. Would expand AG civil enforcement authority. Missouri AG Hanaway is separately investigating five operators via civil investigative demands issued in December 2024. **Michigan (HB 5469/5470)** — In House committee. Based on the ALEC model regulation framework with money transmitter licensing requirements. **South Carolina, West Virginia, North Carolina** — All pending with active AARP engagement. North Carolina is targeting the 2027 session.Enforcement-Only States
**Iowa** — The AG sued both Bitcoin Depot and CoinFlip, finding 98% or more of complaint-based transactions at both operators were scam-related. **Maine** — Bitcoin Depot entered a consent agreement in January 2026 requiring a $1.9 million payment for scam victims after operating as an unlicensed money transmitter. **Montana** — State Auditor reported $2 million in crypto ATM fraud losses in 2025.Federal Legislation
Senator Dick Durbin introduced the Crypto ATM Fraud Prevention Act (S.710) in February 2025. The bill — still pending in the Senate Banking Committee — would require fraud warnings, chief compliance officers, anti-fraud policies submitted to FinCEN, live customer service, quarterly Treasury location reporting, and new-customer transaction limits of $2,000/day. Notably, even the most vocal federal critic of the industry proposed regulation, not prohibition.The Fraud Data Is Real
AARP's campaign rests on numbers that are genuinely alarming and should not be dismissed by anyone in this industry:Key Fraud Statistics:
- $333 million in crypto ATM fraud losses reported to the FBI in 2025 (January–November)
- $246.7 million in losses reported in 2024 — a 99% increase in complaints year-over-year
- 85-86% of reported losses where age is known were suffered by adults 60+
- 12,000+ complaints filed in 2025 alone
- 92% of older adults surveyed by AARP said consumer protections at crypto kiosks are important
The Operator Data That Legislators Aren't Hearing
The fraud statistics dominating legislative hearings come almost entirely from enforcement actions against specific bad actors. What's systematically absent from the same hearings is operator data showing what the industry looks like when compliance infrastructure is actually built and maintained. In Minnesota, CoinFlip submitted data to the legislature from its 50 Minnesota kiosks showing that less than 1% of its Minnesota transactions resulted in refund requests — directly contradicting the narrative that Bitcoin ATMs are inherently scam-enabling infrastructure. That data point, presented directly to lawmakers considering a total ban, received far less attention than the law enforcement testimony that preceded it. The House Commerce Committee co-chair's stated skepticism about a full ban may reflect, at least in part, exposure to that kind of contradictory evidence. America Bitcoin ATM submitted a detailed fraud prevention report to the Hawaii legislature in February 2026:America Bitcoin ATM Fraud Data (through Feb. 12, 2026):
- 0.7% scam rate by transaction count — over 99% of transactions were legitimate
- 2.1% loss rate by dollar volume — over 97% of total volume involved no fraud
- 53.6% of scam-related funds intercepted before loss occurred
- Zero scam incidents in Hawaii since launching there in August 2024
- 78% of consumer losses occurred before the company launched its Hold & Release program in September 2025
The Ban vs. Regulation Debate
The core policy question is whether prohibition actually works better than targeted enforcement and regulation. The evidence says no. Wyoming's post-implementation data showed scam rates dropped to 1% of prior-year levels after implementing daily limits, a 3% fee cap, and required live customer service. Connecticut State Police Detective Matt Hogan, who helped draft his state's 2023 law, reported that his unit is "not taking nearly as many cases" since regulations took effect. Eleven states passed consumer protection laws with regulatory frameworks in 2025 — daily transaction limits, mandatory fraud warnings, operator licensing, transaction receipts, and fraud refund requirements — and the early indicators are positive. The ban argument has a fundamental logical flaw. When a state eliminates Bitcoin ATMs, it doesn't eliminate demand — it pushes consumers toward peer-to-peer transactions with zero KYC compliance, zero traceability, and zero consumer protections. A scam victim who was guided to a Bitcoin ATM was at least interacting with a licensed, registered system that law enforcement could trace. A victim who meets a stranger in a parking lot for a cash-for-Bitcoin exchange has none of those protections. ATM Industry Association CEO Lonnie Talbert put the contradiction plainly: "What about check fraud? Are we getting rid of checks? What about point-of-sale fraud? What about credit card fraud? We don't get rid of those things. But this is a new technology people don't understand." The $333 million in annual Bitcoin ATM fraud losses — as serious as they are — represent a fraction of America's broader fraud economy. The Consumer Federation of America estimates total annual U.S. scam losses at $119 billion. Banning Bitcoin ATMs doesn't end elder financial exploitation. It moves it to channels regulators can't see.Who Gets Hurt by Bans
The FDIC's 2023 National Survey found that 4.5% of U.S. households remain unbanked, with 66.2% of those households being entirely cash-only — approximately 3.5 million households. Black, Hispanic, American Indian, and Alaska Native households are disproportionately represented. For these communities, Bitcoin ATMs are not a novelty. They are one of the few bridges between the cash economy and digital financial participation. Immigrant communities use them for remittances. Workers without bank accounts use them to access the digital economy. When AARP Massachusetts Director Jen Benson says "very few people use these for legitimate purposes, because the fees are so high," she is substituting her judgment for that of the cash-only households who have made a different calculation. High fees are a regulatory enforcement problem — precisely the kind that the Massachusetts AG is already pursuing under existing law.AARP's Own Track Record
An organization running a 30-state lobbying campaign against financial products on the grounds of protecting vulnerable seniors invites scrutiny of its own record on that front.The UnitedHealthcare Relationship
In 2024, UnitedHealthcare paid AARP a one-time upfront royalty of more than $9 billion as part of a restructured 12-year contract extension. According to AARP's own audited financials, the organization made $289.3 million from member dues — but $1.134 billion from corporate royalties, of which $905 million came from health insurers. Corporate royalties make up more than 60% of AARP's total revenue. UnitedHealthcare pays AARP 4.95% of every premium dollar paid by AARP members who purchase AARP-branded plans — meaning the higher UnitedHealthcare's premiums go, the more AARP earns. UnitedHealthcare dismissed approximately one in every three insurance claims in 2023 — the highest denial rate of any major insurer and twice the industry average. AARP said nothing. A poll by McLaughlin & Associates found that 84% of voters 55 and older believe the billions in corporate royalties create a conflict of interest that could impact AARP's ability to represent seniors' interests."AARP is in the insurance business."
— Bruce Vladeck, former administrator of the Medicare program under the Clinton administration
The Meta Privacy Settlement
In 2025, AARP agreed to pay $12.5 million to settle a class action lawsuit accusing it of violating the federal Video Privacy Protection Act by secretly sharing its members' personal data — including identities and video-viewing history — with Facebook/Meta via the Meta Pixel tracking tool, without consent. The settlement covered more than 2.7 million affected members. An organization that deployed Meta's surveillance tools against its own membership's privacy is now positioning itself as a guardian of senior safety at state legislatures.The Medicare Supplement Fraud Lawsuit
In February 2026, a proposed class action was filed in New Jersey federal court against both AARP and UnitedHealthcare, alleging they "fraudulently sell" AARP memberships and Medicare supplement plans while "intending to deny reimbursement claims." One plaintiff, a senior stroke survivor, paid nearly $8,000 out of pocket for a medically necessary procedure after being denied coverage — and was assured by an AARP customer service representative in a recorded call that his claim would be covered. None of this means AARP's fraud data on Bitcoin ATMs is wrong. It means that when an organization with $9 billion in insurance industry money on its balance sheet positions itself as a neutral consumer advocate on financial regulation questions, legislators deserve to understand who is actually speaking.What This Means for Consumers
What Bitcoin ATM users should know right now:
- If you're in Indiana: Bitcoin ATMs are banned statewide as of March 2026. If you're in Tennessee, a ban takes effect July 1, 2026 pending the governor's signature.
- If you're in a regulation state (Virginia, Rhode Island, Illinois, Nebraska, Wyoming, and others): New daily limits, fraud warnings, and refund rights may apply — including 90-day fraud refund windows in some states. Check your state's specific provisions.
- If someone tells you to go to a Bitcoin ATM to pay a debt, fine, or fee: Stop. No legitimate government agency, bank, utility company, or employer will ever request payment at a Bitcoin ATM. This is the single most important fraud indicator. See our consumer protection resources.
- You can check an operator's regulatory record before using their machines at our operators directory. Enforcement records vary dramatically across the industry.
- Legitimate operators warn you about scams on-screen, provide receipts with transaction details, and some now make live calls if your transaction raises fraud flags. If your operator doesn't do these things, use a different one.
- If you were scammed at a Bitcoin ATM in Maine, you may be eligible for compensation under Bitcoin Depot's $1.9 million consent agreement. The claims deadline has passed for the initial window — check our consumer protection resources for updates.
What This Means for Operators
The regulatory environment has shifted from isolated state enforcement actions to a coordinated national campaign with institutional lobbying support and an explicit preference, in some states, for total elimination. Operators who have not built real compliance infrastructure are not just business risks — they are the reason ban bills are gaining traction in legislatures where regulation should be winning the argument.Urgent operator considerations:
- Share your data with legislators — proactively. CoinFlip's submission to Minnesota showing less than 1% of its transactions resulted in refund requests, and America Bitcoin ATM's Hawaii fraud report showing zero scam incidents across 354 transactions, are exactly the kind of evidence that can shift a legislative debate. If your compliance record is clean, make it visible. Operators who stay silent let the worst actors define the industry.
- Understand that AG enforcement is the pressure point — and the best outcome. A targeted AG action against a bad actor under existing consumer protection law is the alternative to a blanket ban. Responsible operators should actively support aggressive enforcement against the operators who are actually facilitating fraud. That is not self-interest — it is the argument that preserves your operating environment.
- The ban momentum is real. Three states have enacted or are about to enact full bans. Every high-profile scam case, every AG lawsuit, every elderly victim headline strengthens the case for prohibition. The most effective counterargument is your own fraud rate — not industry association talking points.
- Hold & Release programs, live compliance calls, and wallet blocking are no longer optional differentiators. They are the compliance floor that separates operators who survive this regulatory environment from those who don't — or whose market gets banned because of a competitor's misconduct.
- Fee transparency is a simultaneous front. The Massachusetts AG's case against Bitcoin Depot for exceeding its own posted 23% fee cap in 7,000+ transactions, the Iowa AG lawsuits, and Missouri's civil investigative demands against five operators all target fee practices. Drip pricing — displaying a low Bitcoin price and adding an undisclosed fee at confirmation — is the industry's most immediate regulatory liability.
- Watch Kentucky HB 380 carefully. The hardware wallet backdoor provision (Section 33) is a cautionary example of what happens when industry engagement happens after the legislative process rather than during it.