The Breach Behind the Scam: How America's Bitcoin ATM Industry Built a Recovery Fraud Pipeline

The Scale of the Problem

Bitcoin ATM fraud has become one of the fastest-growing categories of financial crime in the United States. FBI data shows $333 million in losses tied to cryptocurrency kiosk transactions in 2025, a sharp increase from approximately $250 million the prior year. The victims follow a consistent demographic profile: the median age exceeds 70, and many are targeted through elaborate impersonation schemes involving fake law enforcement calls, utility shutoff threats, and fabricated tax obligations.

What distinguishes the current wave of fraud from earlier iterations is the emergence of secondary predators. After victims lose money at Bitcoin ATMs, a separate category of scam operator contacts them with offers to recover the stolen funds. These recovery scam operations extract additional thousands of dollars from people who have already been victimized once. The question this investigation examines is where these recovery scammers find their targets — and how three major data breaches created a structural pipeline that makes targeting effortless.

How Recovery Scammers Find Their Targets

Recovery fraud operators source their victim lists through four primary channels, each of which leaves a distinct evidentiary footprint.

Public forum monitoring. Reddit's r/Scams subreddit serves as an inadvertent lead-generation platform. Users post detailed accounts of Bitcoin ATM losses, often including the operator name, city, and dollar amount. While the subreddit's automated moderation explicitly warns against recovery scam solicitation, the posts themselves function as advertising for anyone monitoring the forum for potential targets.

Review platform infiltration. Entities like Integrity Shields seed recovery service advertisements directly into the Trustpilot review pages of major Bitcoin ATM operators. A victim searching for "CoinFlip reviews" or "Bitcoin Depot complaints" encounters what appear to be positive testimonials from satisfied recovery clients — planted by the recovery scam operators themselves.

Law enforcement impersonation. The FBI has issued at least three public service announcements warning about criminals who contact scam victims while posing as federal agents or prosecutors. These impersonators claim to be working on the victim's case and request additional payments for "processing fees" or "tax obligations" related to the supposed recovery effort.

Data breach exploitation. This is the channel that transforms recovery fraud from an opportunistic hustle into a scalable operation. When a Bitcoin ATM operator's customer database is compromised, the breached records contain precisely the information a recovery scammer needs: names, phone numbers, government-issued identification, and — in the most data-rich breaches — transaction histories that reveal exactly how much each victim lost and when.

The Three Breaches

Between August 2023 and September 2024, three of America's largest Bitcoin ATM operators suffered data breaches that collectively exposed the personal information of more than 121,000 customers. The scope, severity, and response timelines varied dramatically.

CoinFlip: The Social Engineering Attack

CoinFlip's breach originated from a social engineering attack targeting an employee email account on August 7, 2023. The compromised data included names, addresses, Social Security numbers, driver's license numbers, and passport numbers — the most sensitive category of personally identifiable information short of biometric data. CoinFlip notified affected customers approximately 74 days after the breach, a timeline that falls within the reporting windows required by most state breach notification statutes.

A class action lawsuit followed, resulting in a $475,000 settlement. While the settlement amount is modest relative to the number of affected individuals, it represents the only instance among the three breaches where victims received any form of remediation. CoinFlip's compliance department also took the step of incorporating recovery scam warnings into its customer-facing materials.

Bitcoin Depot: The 380-Day Silence

Bitcoin Depot detected its breach on June 23, 2024, but did not notify affected customers until approximately July 8, 2025 — a gap of roughly 380 days. The company attributed the extended delay to a request from federal law enforcement, citing the need to avoid compromising an ongoing investigation. The breached data included names, phone numbers, driver's license information, physical addresses, dates of birth, and email addresses. Social Security numbers were not among the compromised records.

Bitcoin Depot offered no identity protection services to affected customers. The company's position, as stated in its notification, was that cryptocurrency transactions are not covered by the standard breach remediation requirements that apply to traditional financial institutions. No class action settlement has been reached.

Byte Federal: The Most Data-Rich Breach

Byte Federal's September 30, 2024 breach was the largest and most data-intensive of the three incidents. An attacker exploited a vulnerability in a self-managed GitLab server to access records belonging to approximately 58,000 customers. The compromised data encompassed names, dates of birth, physical addresses, phone numbers, email addresses, government-issued identification documents, Social Security numbers, transaction activity records, and user photographs.

The inclusion of transaction histories and photographs makes this breach uniquely dangerous for recovery fraud targeting. A scammer with access to this data can reference specific transactions — dates, amounts, locations — when contacting a victim, establishing a level of credibility that generic phishing attempts cannot match. Byte Federal discovered the breach approximately 49 days after it occurred. A class action, Fisher v. Byte Federal, has reached a preliminary settlement.

Meet the Recovery Scam Entities

TRADE CLAIM (tradeclaim.org)

TRADE CLAIM presents itself as a cryptocurrency recovery service. Security researchers at PhishDestroy flagged the domain as linked to crypto drainer activity — a category of fraud where victims connect their wallets to a malicious interface that immediately drains all assets. The domain was registered just one day before PhishDestroy's detection, a timeline consistent with disposable fraud infrastructure designed for rapid deployment and abandonment.

The domain is hosted on IP address 94.23.161.188 and registered through the Dynadot registrar. It appeared on three separate security blocklists within days of registration. No registration exists for this entity with the FTC, FinCEN, or any state money transmitter licensing authority.

Integrity Shields (integrityshields.com)

Integrity Shields operates with a different model: sustained online presence combined with aggressive review manipulation. Scam Detector assigns the domain a trust score of 12.2 out of 100. Multiple Trustpilot fraud reports from early 2026 describe a consistent pattern: victims are contacted after posting about cryptocurrency losses, promised recovery, charged advance fees ranging from several hundred to several thousand dollars, and then ghosted.

The entity's homepage features client testimonials attributed to a different company altogether — "Katalyst Retrieval" — suggesting either sloppy template reuse from a common scam kit or deliberate obfuscation. More telling is where Integrity Shields appears in the Trustpilot ecosystem: its name shows up in reviews for unrelated fraudulent trading platforms such as GLB Markets and Raisegrid, alongside other recovery scam entities including Justicefield, Cryptorecoverytrackers, BlockTraceLabs, and Veri Trail Intel. This cross-pollination pattern indicates a coordinated fake review injection network rather than independent operations.

The Regulatory Reckoning

While recovery scam operators exploit breached data downstream, the Bitcoin ATM operators themselves face an accelerating wave of enforcement actions focused on their role in facilitating fraud upstream.

In February 2025, the Iowa Attorney General filed suit against both CoinFlip and Bitcoin Depot, alleging the operators processed more than $20 million in transactions tied to known scam patterns. Internal compliance records cited in the Iowa complaint suggest both companies were aware of the scale of fraud flowing through their networks.

In January 2026, Bitcoin Depot reached a $2 million settlement with the Maine Attorney General over fraud-related consumer protection violations. One month later, the Massachusetts Attorney General filed suit against Bitcoin Depot, citing internal documents showing that company employees had warned executives about scam prevalence rates exceeding 90% among certain customer cohorts. In September 2025, the DC Attorney General sued Athena Bitcoin, alleging a 93% fraud rate across its kiosk network in the District.

These enforcement actions focus on the operators' failure to prevent fraud at their kiosks. None address the data breach-to-recovery-scam pipeline directly. The gap is significant: regulators are punishing operators for enabling the initial scam, but no enforcement apparatus targets the structural conditions that enable the secondary victimization.

The Regulatory Gap

The Bank Secrecy Act and its implementing regulations under FinCEN mandate rigorous Know Your Customer (KYC) procedures for money services businesses, including Bitcoin ATM operators. These requirements exist for legitimate reasons: preventing money laundering, terrorist financing, and sanctions evasion. But they also mean that Bitcoin ATM operators accumulate databases containing the most sensitive categories of personal information — the exact data that makes recovery fraud targeting possible.

State data breach notification laws require companies to inform affected individuals within specified timeframes, typically 30 to 90 days. But notification is not remediation. Bitcoin Depot's position — that cryptocurrency transactions fall outside the scope of standard breach response obligations — highlights a gap in the regulatory framework that has not been addressed by any state legislature or federal agency.

The result is an asymmetry that functions as a pipeline: maximum data collection on the front end, minimum data protection on the back end, and a growing pool of exposed victims whose personal information circulates through criminal networks with no meaningful mechanism for recall or remediation.

The Recovery Scam Playbook

Recovery fraud follows a four-stage operational model, each phase building on the information and trust established in the previous stage.

1. Reconnaissance. Lead lists are assembled from data breaches, public forum posts, review platform monitoring, and dark web markets where breached databases are traded. The most valuable leads include transaction history data, which allows scammers to reference specific losses.
2. Contact initiation. Victims receive text messages (smishing) or phone calls (vishing) from individuals claiming to represent law enforcement agencies, regulatory bodies, or specialized recovery firms. The initial contact typically references the victim's original loss with enough specificity to establish credibility.
3. Credibility construction. Using PII from breach data, the scammer demonstrates knowledge of the victim's full name, address, the operator they used, and approximate transaction amounts. Some impersonators provide fabricated case numbers and badge numbers. Others reference real enforcement actions — such as the Iowa AG lawsuit against Bitcoin Depot — to bolster their cover story.
4. Escalating extraction. The victim is asked to pay advance fees for "processing," "tax obligations," "escrow deposits," or "blockchain analysis costs." These fees typically range from $3,000 to $10,000 and are requested via wire transfer, gift cards, or — in a cruel irony — additional Bitcoin ATM transactions. The cycle continues until the victim either runs out of money or recognizes the fraud.

What the Evidence Shows — and What It Doesn't

This investigation reviewed breach notification letters, class action filings, domain registration records, security database reports, Trustpilot review histories, FBI public service announcements, and state attorney general complaints. The evidence supports several conclusions, but it is important to delineate what can be established from what cannot.

What the evidence does not show is any direct referral arrangement between any Bitcoin ATM operator and any recovery scam entity. CoinFlip's compliance department actively warns customers about recovery scams in its communications. Neither Bitcoin Depot nor Byte Federal has been implicated in promoting or facilitating recovery services. The pipeline described in this investigation operates through structural conditions that require no coordination, no handshake agreements, and no deliberate action by the operators whose data was breached.

The absence of intentional collaboration does not diminish the harm. It makes it harder to address. A kickback scheme could be prosecuted as fraud. A structural pipeline rooted in regulatory design is a policy problem — slower to fix, harder to assign blame for, and more durable than any individual bad actor.

What Victims Should Know

If you were a customer of CoinFlip, Bitcoin Depot, or Byte Federal during the breach periods described in this article, consider placing a credit freeze with all three major credit bureaus (Equifax, Experian, TransUnion). While a credit freeze does not prevent misuse of your data for cryptocurrency-related fraud, it does block the most common forms of identity theft that breached SSNs and government IDs enable.

At BitcoinATM.news, we maintain a Trust Rating System that evaluates operators based on their regulatory history, data protection practices, and consumer protection track record. Our Consumer Protection page provides ongoing monitoring of enforcement actions across the industry.