← Back to Blog Scam Anatomy

Bitcoin ATM Scam: $333M Stolen in 2025 — The Forensic Trace

A caller poses as the FBI. A grandparent withdraws $15,000 in cash. An hour later it is sitting in a Binance deposit address in Asia. This is the most explosive elder fraud channel in the country — and it leaves more on-chain evidence than almost any other crypto scam.

Bitcoin ATM scam forensic trace diagram: cash entering a kiosk on the left, on-chain hop graph in the middle, exchange deposit on the right
📅 Published May 15, 2026 🔄 Updated May 15, 2026 ⌛ ~16 min read ✎ Zack Coffing
30-Second Answer

What it is: A scam in which a caller impersonates law enforcement, a bank, or a government agency, convinces the victim to withdraw cash from their bank, and instructs them to deposit it into a Bitcoin ATM (crypto kiosk) to a wallet address the scammer controls. The cash converts to Bitcoin and is irreversible within minutes.

How big: The FBI's IC3 logged approximately $333 million in losses to crypto kiosk fraud in 2025, up sharply from prior years. Around 86% of victims are 60 or older. Indiana enacted what is described as the first statewide ban on crypto kiosks in March 2026; roughly 29 states have kiosk-specific consumer protection laws enacted or in advanced stages.

What is recoverable: Direct on-chain reversal is impossible. What is realistically achievable is forensic attribution — tracing from the kiosk operator's settlement wallet to the scammer's off-ramp deposit at Binance, OKX, HTX, or another centralized exchange, and producing the evidence package law enforcement and civil counsel need to subpoena that exchange.

In This Article

  1. Why I am writing this differently
  2. Bitcoin ATM scams by the numbers (2025 / 2026)
  3. How the scam actually works, end to end
  4. Why kiosk scams target people over 60
  5. The forensic trace: what happens to your money after the kiosk
  6. The kiosk operators — Bitcoin Depot, CoinFlip, RockItCoin and what they retain
  7. What investigators look for: the forensic checklist
  8. State bans and federal enforcement: 2026 update
  9. What to do in the first 7 days after a kiosk scam
  10. Frequently asked questions

Why I Am Writing This Differently

Most articles about Bitcoin ATM scams are written by content marketers who have never actually traced one. They tell you to "be careful," to "never send crypto to strangers," and to "report it to the FBI." That advice is correct and also useless to the person who is reading this article at 11pm on the day they lost $20,000 of their parents' retirement money.

I am a working blockchain forensic investigator. The cases I take that involve crypto kiosks share a depressingly consistent shape: an elderly victim, a confidently-impersonated authority figure on the phone, a few hours of escalating panic, a drive to a gas station or convenience store, and a transaction hash printed on a thermal receipt. The receipt is the most valuable piece of paper in the case. People throw it away because they think it is evidence of their humiliation. It is the start of the trace.

What I want this article to do is two things at once. First, give the friends and family of victims a clear, unflinching account of how the scam actually works at every layer — psychological, operational, and technical — so they can spot it sooner the next time. Second, give victims who are still inside the first 72 hours a realistic framework for what is actually recoverable, what is not, and what an investigation can and cannot deliver. There will be no recovery promises in this article. There will be a lot of detail about the trace work that produces real attribution.

Bitcoin ATM Scams by the Numbers (2025 / 2026)

$333M
FBI IC3 reported losses to crypto kiosk fraud in 2025
86%
Share of victims aged 60 or older
~29
US states with kiosk-specific consumer protection laws enacted or advanced (2026)
~30,000
Estimated cryptocurrency kiosks installed in the United States
$10K+
Median loss per victim in IC3 kiosk-related complaints
10x
Approximate growth in kiosk-related IC3 losses since 2020

Two patterns matter most when you read these numbers. First, the dollar growth dramatically outpaces the growth of crypto adoption generally — this is not a "more crypto means more crypto crime" story, it is a targeted-channel story. Operators of the social-engineering side of the scam have figured out that crypto kiosks are the most efficient way to extract retirement-aged wealth from a US victim, and they have industrialized accordingly.

Second, the demographic concentration is extreme. In a typical pig butchering case the median victim is somewhere in their 40s or 50s; in kiosk fraud the curve is shifted hard to the right. Adult Protective Services in multiple states have flagged kiosk fraud as the fastest-growing channel of elder financial exploitation they handle. AARP has made it a federal advocacy priority. The Spokane Valley case in 2025 — in which an elderly victim died by suicide after losing his life savings to a kiosk-funneled scam — is widely cited in legislative testimony precisely because the harm here is not only financial.

How the Scam Actually Works, End to End

Every kiosk scam I have worked follows roughly the same six-act structure. The variables are the impersonated authority and the cover story; the arc is the same.

Act 1: The cold call

The phone rings. The caller ID often spoofs a recognizable number — the local sheriff's department, the IRS, the Social Security Administration, a federal court, sometimes the victim's own bank. The caller claims to be a federal agent, a fraud investigator, a Social Security officer, a tech support specialist from Microsoft or Apple, or a customs officer. Sometimes the call is preceded by a fake browser pop-up locking the victim's screen and instructing them to call a "Microsoft security number." Sometimes the caller knows the victim's name, address, or last four digits of their Social Security number from a prior data breach.

Act 2: The fabricated emergency

The caller invents a crisis. Common scripts include: "Your Social Security number has been used in drug trafficking and your accounts are about to be frozen." "Your bank has been compromised and your savings will be drained unless you move them to a federal safe account." "There is a warrant out for your arrest because your identity was used in a crime, and you must post bond electronically." "Your computer is sending child sexual abuse material across the network and we need to secure your evidence." The script's specifics vary; the function is constant: induce intense fear and a deadline.

Act 3: Isolation

The caller instructs the victim to stay on the phone, not to discuss the call with anyone (because "this is a federal investigation and even mentioning it could be obstruction"), and to act immediately. The victim drives to their bank with the scammer in their ear coaching them on what to say to the teller — "tell them it is for a home repair," "tell them it is a private investment," "tell them anything other than the truth." Many kiosk scams are caught at this stage by trained tellers who recognize the warning signs and refuse to release the funds. The successful scams are the ones where teller intervention failed or was bypassed.

Act 4: The kiosk

The victim is directed to a specific kiosk, often by name and address. Operators of the social-engineering side maintain lists of kiosks by location, model, and per-transaction limit; the scammer picks one with limits that accommodate the planned dollar amount. The victim arrives carrying a paper bag of cash. The scammer instructs them step by step over the phone: select Bitcoin, scan this QR code (the scammer's wallet), insert the cash. The kiosk takes a photo of the victim's ID, captures a selfie, sends a verification code to the victim's phone, and prints a receipt with the destination wallet address and a transaction hash.

Act 5: Settlement

Within minutes of the cash hitting the bill validator, the operator's hot wallet broadcasts a Bitcoin transaction to the destination address. The exact timing varies by operator and by network conditions but typically lands on-chain within 5 to 30 minutes. From the moment that transaction is mined into a confirmed block, the funds are functionally irreversible at the protocol level. The kiosk operator cannot reverse it. The blockchain cannot reverse it. Nobody can.

Act 6: Realization

Sometimes the realization happens hours later, when the scammer demands a second deposit and the victim balks. Sometimes it happens days later when the victim mentions the call to a family member who instantly recognizes it as fraud. By that time the scammer has typically moved the funds through one to three intermediate hops and deposited them at an exchange — usually Binance, OKX, or HTX in an Asia-Pacific region — for conversion to a fiat-stablecoin pair and ultimately to local currency.

The window that closes the trace

From the moment the kiosk's settlement transaction confirms, the scammer has roughly 2 to 24 hours before the funds typically land at a centralized exchange where, if law enforcement moves fast enough and the exchange responds, the deposit can sometimes be frozen before the scammer withdraws to fiat. The first day matters more than the next thirty.

Why Kiosk Scams Target People Over 60

The 86 percent figure is not random. Kiosk fraud is the cleanest example of a scam channel that has been engineered around a specific demographic.

Older Americans are statistically more likely to answer calls from unknown numbers, more likely to engage at length with a confident impersonator of authority, more likely to have substantial cash or near-cash savings available to withdraw same-day, less likely to have a workplace-cybersecurity background that would have inoculated them against social engineering, and less likely to have prior hands-on experience with cryptocurrency. The unfamiliarity is the active ingredient. A scammer cannot easily walk a 30-year-old crypto holder through depositing $15,000 into a kiosk because the 30-year-old has a self-custody wallet and would ask "why don't I just send it from my own wallet?" The 75-year-old has no frame of reference at all, which means the scammer's narration of the kiosk interface ("press this button, scan this code") slots cleanly into the existing emotional state of fear and urgency.

The other dimension is isolation. The script's instruction to keep the call private, to not mention it to family, to act immediately — these are designed to short-circuit the most reliable defense an older person has, which is calling their kid before doing anything financially irreversible. If the family relationship is strong, the call gets made and the scam dies. If the relationship is distant or the victim is embarrassed about needing help, the call does not get made. For families: the most effective intervention you can make today is not lecturing your parent about Bitcoin scams. It is telling them that no matter what an authority figure on the phone tells them, they should always call you before taking out cash. Make the rule unconditional. See our piece on helping a parent who was scammed for the full framework.

The Forensic Trace: What Happens to Your Money After the Kiosk

This is the section where most articles on this topic go silent because most authors do not actually do this work. I am going to walk through the four stages of an on-chain trace from a kiosk-fraud receipt to an off-ramp exchange deposit, in the order the investigation actually unfolds.

Step 1: The kiosk operator's KYC, receipt, and camera footage

The case starts before the blockchain. Every kiosk transaction above a low dollar threshold (the threshold varies by operator and jurisdiction; typically a few hundred dollars) generates a structured evidence trail on the operator's side:

  • Receipt with destination wallet address and transaction hash. Printed on thermal paper at the kiosk. Often discarded by the victim. This single piece of paper is the highest-value artifact in the case — the wallet address is the trace anchor; the transaction hash is the timestamp and the operator-side proof of settlement.
  • Driver license scan. The kiosk camera captures both sides of the ID. Stored against the transaction record on the operator's compliance platform.
  • Real-time selfie. Captured at transaction time and matched against the ID photo via a liveness check.
  • Phone number and verification code. The operator sends an SMS code to the phone the victim provides; the code has to be entered to complete the transaction. The phone number itself is a piece of corroborating evidence that the victim was the person at the kiosk.
  • Camera footage. Both the kiosk's own integrated camera and, in most cases, the host venue's surveillance system (the gas station, convenience store, vape shop, or laundromat where the kiosk lives) capture the victim during the transaction. Camera retention varies but is often 30 to 90 days.
  • Internal tagging and prior fraud reports against the destination address. If the destination wallet has been reported by other victims of the same scammer, the operator may already have it tagged internally. Some operators will preserve and produce this on a written request even before a subpoena issues.

For the investigator, the first call is to the operator's compliance or fraud team requesting written preservation of all of the above. This matters because absent a preservation request, surveillance footage in particular ages off the system on a fixed retention schedule. The earlier the preservation goes in, the more is salvageable.

Step 2: The operator's hot wallet and the settlement transaction

Cryptocurrency kiosk operators do not move the customer's specific cash directly to the scammer's address. They aggregate customer purchases into a hot wallet and broadcast a settlement transaction from the hot wallet to the customer's specified destination. The settlement transaction is the on-chain artifact that matters — it is what shows up on a block explorer when you paste the transaction hash from the receipt.

From the investigator's view, the settlement transaction tells you: the operator's hot wallet address (input side), the scammer's destination address (output side), the exact amount sent (after fees and operator spread), the timestamp at block-confirmation precision, and the inclusion in a specific Bitcoin block which itself ties to a specific moment in real-world time. This becomes the upstream anchor of the trace.

Step 3: The scammer's address typically routes to an Asian off-ramp exchange within hours

The scammer's destination address — the one printed on the victim's receipt — is rarely held passively. In the operationally consistent pattern I see in case after case, the scammer moves the funds within hours of receipt, typically through one to three intermediate hops, and deposits at a centralized exchange in an Asia-Pacific jurisdiction (most commonly Binance, OKX, or HTX, with smaller volumes to Bybit, MEXC, and KuCoin). The choice of exchange is not random — it reflects which exchanges the scam operation has working accounts at, which jurisdictions are slow to respond to US law enforcement requests, and which off-ramps efficiently convert Bitcoin to USDT and then to local fiat.

The hop pattern between the kiosk receipt address and the exchange deposit address takes several recurring shapes:

  • Direct deposit. Receipt address sends directly to a deposit address at a known exchange cluster. The simplest and most common pattern when the scammer is operating at low sophistication.
  • Single intermediary. Receipt address sends to a fresh intermediary wallet, which forwards to the exchange deposit. The intermediary serves as a buffer.
  • Peeling chain. The scammer "peels" small amounts off the main flow at each hop, creating a chain of small change outputs and a main flow that continues forward. A classic obfuscation technique that does not actually break the trace but slows manual analysis.
  • CoinJoin or mixer. More sophisticated scammers route through a CoinJoin coordinator (Wasabi, Whirlpool) or a custodial mixer. This degrades the trace for the specific hop but does not eliminate downstream attribution — the funds typically come out of the mixer in identifiable chunks within a constrained time window.
  • Cross-chain swap. Bitcoin gets swapped to USDT on Tron via a cross-chain bridge or a non-KYC swap service, then deposited at the exchange as Tron-USDT. Tron is the dominant rails for the off-ramp leg specifically because USDT on Tron has minimal fees and minimal KYC friction at the swap layer. See our piece on stolen USDT recovery for the Tron-side trace methodology.

Whichever path the scammer chooses, the on-chain record is permanent. The investigator's job is to follow it from the receipt address to the exchange deposit, identify the exchange and the deposit address with high confidence, and produce the documentation that lets law enforcement subpoena the exchange for the account-holder identity behind the deposit.

Step 4: The on-chain evidence package

The deliverable is not "we recovered your money." The deliverable is an evidence package that includes the kiosk operator's KYC and receipt artifacts (subject to subpoena or operator cooperation), the on-chain trace from the operator's hot wallet through every hop to the exchange deposit address, the attribution of that exchange deposit to a named exchange and a named cluster (with the methodology and confidence level documented), and a written narrative that a federal investigator or civil attorney can hand to the exchange's compliance team or use as the foundation of a Section 1782 / mutual legal assistance request to the exchange's home jurisdiction.

That package is what unlocks subsequent action: a freeze request to the exchange (which may catch funds if the scammer has not yet withdrawn), a subpoena to the exchange for KYC records on the deposit address, a civil pleading naming "John Doe" defendants tied to the on-chain identifiers, or aggregation into a federal task force case where the same operator is hitting many victims simultaneously. None of those are guarantees of restitution. All of them are downstream of an evidence package that does not exist until somebody does the trace work.

Why kiosk cases are forensically rich

Compared to a typical pig butchering case where the victim sent crypto from their own wallet to a scammer's address, kiosk cases start with significantly more evidence: a regulated operator with KYC on file for the victim's side, surveillance footage of the transaction, a printed receipt with the transaction hash, and a clean upstream anchor (the operator's hot wallet) on-chain. The trace from that anchor forward is the same as any other on-chain trace; the front end is unusually well-documented.

The Kiosk Operators: Bitcoin Depot, CoinFlip, RockItCoin and What They Retain

The US kiosk market is concentrated among a handful of operators. They differ in geographic footprint, transaction limits, KYC thresholds, and (importantly for victims) responsiveness to fraud reports and preservation requests. The table below covers the operators most frequently encountered in casework.

OperatorFootprintWhat they typically retain
Bitcoin Depot Largest US footprint; thousands of kiosks across most states. Publicly traded. ID scan, selfie, phone verification, transaction record with hash and destination address, kiosk camera footage, host-venue camera footage where available. Has a published fraud reporting channel and compliance team that responds to written preservation requests.
CoinFlip Major national footprint; thousands of kiosks. Sells BTC, ETH, USDT, LTC and several others. ID scan, selfie, phone, transaction record, camera footage. Multi-asset operator means receipts may show non-BTC settlement; the trace methodology adapts but the structure is the same.
RockItCoin National footprint, several thousand kiosks. ID scan, phone, transaction record. Compliance and fraud team responsive to subpoena and preservation requests.
Athena Bitcoin US national plus Latin America. Public company. Standard MSB KYC suite; transaction record with hash. Latin America footprint relevant for cross-border cases.
CoinHub (Lux Vending) National footprint with strong convenience-store presence. Standard ID, selfie, phone, transaction record.
Bitstop / ChainBytes / Pelicoin / many regional operators Smaller national or regional footprints. Vary by operator and jurisdiction; all FinCEN-registered MSBs operating in the US are required to maintain BSA-compliant records.

Two important notes for victims and family. First, all of these operators are federally registered Money Services Businesses under FinCEN and are subject to Bank Secrecy Act recordkeeping. They are required to retain customer identification and transaction records. They are not the scammer. They are an intermediary that processed the victim's transaction in compliance with their regulatory obligations — the scammer is the person on the phone who told the victim to use the kiosk.

Second, response quality to fraud reports varies meaningfully across operators. Bitcoin Depot and CoinFlip in particular have built out fraud-response programs in the wake of state legislation requiring them to. Reporting promptly and in writing — with the receipt's transaction hash and destination address — gives the operator the inputs they need to flag the destination address internally, refuse further deposits routed to it, and preserve the relevant records pending subpoena.

What Investigators Look For: The Forensic Checklist

If you are reading this article from the investigator side or you are a family member trying to assemble the case file before engaging a professional, these are the artifacts and trace points that drive the analysis:

  • The kiosk receipt. Transaction hash, destination wallet address, amount in fiat and crypto, kiosk identifier, timestamp, operator name. The single highest-value artifact in the case.
  • The bank withdrawal record. Branch, time, teller, denomination of bills withdrawn. Useful for both the trace timeline and for any insurance or civil dispute downstream.
  • The scammer's phone number and call log. Especially the duration and timing of the call relative to the bank withdrawal and kiosk deposit. Patterns across multiple cases tied to the same number may indicate a single scam operation.
  • Any text messages, emails, or screenshots of fake notices. The "frozen account" warning, the "warrant for arrest" PDF, the "Microsoft security alert" pop-up. Preserved as is, not retyped.
  • The destination wallet address and its on-chain history. First transaction, last transaction, total volume in and out, cluster membership (does this address belong to a known scam cluster?), prior reports against it.
  • The hop graph. Every transaction from the destination address forward, traced through intermediate hops to a known terminal — usually an exchange deposit cluster, occasionally a mixer or a cross-chain swap.
  • The exchange attribution. Which exchange holds the deposit cluster? What confidence level? What is the exchange's response posture to US law enforcement and civil subpoenas? Does the exchange have a US compliance footprint that creates jurisdiction?
  • Cluster expansion to other victims. Are there other addresses in the same cluster that received funds from other kiosks at other times? If yes, the operation is multi-victim and the investigative case scales accordingly.
  • The operator's internal records. Kiosk camera footage, host-venue surveillance, any notes in the operator's compliance system about the destination address.

Not every case yields every artifact. The cases that resolve cleanly are the ones where the receipt was preserved, the operator was contacted within 72 hours, and the on-chain trace landed at an exchange that responds to subpoena. The cases that go nowhere are the ones where the receipt was thrown away, no preservation request went in, and the funds disappeared into a non-cooperative jurisdiction. The first week sets the ceiling on what is possible later.

State Bans and Federal Enforcement: 2026 Update

The legislative response to kiosk fraud has accelerated sharply in 2025 and 2026. The patterns:

Indiana: the first statewide ban

Indiana enacted what is widely described as the first true statewide ban on cryptocurrency kiosks in March 2026. The law removes operators from the state's regulatory framework and prohibits new installations. The effect on existing kiosks — whether they must be removed or simply cannot operate — depends on the implementing rules and on legal challenges that operators and trade associations are mounting. Indiana's move is being closely watched by legislators in other states as a test case for whether the ban-vs-regulate debate breaks toward outright prohibition.

The restriction-and-disclosure model: the dominant pattern

Most states pursuing kiosk legislation in 2025 and 2026 have adopted some version of a restriction-and-disclosure model rather than an outright ban. Common provisions across enacted and pending laws include:

  • Per-transaction or per-day limits for new customers, often $1,000 or $2,000 in the first week or month of activity at a given operator.
  • Mandatory written warnings at the kiosk, frequently in red text and large type, naming common scam patterns (impersonation of law enforcement, bank fraud investigators, government agencies).
  • Mandatory refund windows in which a first-time defrauded customer can recover their funds from the operator if they report within a short period (commonly 30 days or less) and provide a police report.
  • Operator licensing and reporting requirements, with state-specific MSB registration or money transmitter licensing on top of the federal FinCEN registration.
  • Operator liability for inadequate warnings — statutory damages for victims if the operator did not display the required warnings.

States with enacted or advanced kiosk-specific legislation as of mid-2026 include Vermont, Minnesota, California, Nebraska, Arizona, Rhode Island, Washington, Connecticut, Maryland, Illinois, and a growing number of others. AARP and consumer advocacy groups identify approximately 29 states as either having enacted laws or actively advancing them. The patchwork is rapidly normalizing toward a baseline of disclosure plus refund-window protection.

Federal enforcement and FinCEN

Federal enforcement has moved on multiple tracks. The FBI's Virtual Assets Unit handles aggregation of kiosk-related complaints filed via IC3 and prioritizes cases that reach material loss thresholds or that link to identified organized scam operations. FinCEN has continued to enforce BSA recordkeeping and Suspicious Activity Report obligations on kiosk operators; civil money penalties have been levied against operators that failed to maintain adequate AML programs. The FTC tracks kiosk fraud as a category in its Consumer Sentinel data and publishes elder fraud reports that consistently flag kiosks as a top channel.

For victims, the practical implication is that the state of refuge for a scammer running a US-targeted kiosk operation is narrowing — both because more states are forcing disclosure and refund obligations onto the operators, and because federal enforcement has built up the capacity to aggregate and act on the on-chain attribution that investigators produce. The asymmetry is still strongly in the scammer's favor, but the trajectory is moving in the right direction. For more on the federal reporting side, see our pieces on how to report a crypto scam to the FBI and the IC3 complaint guide.

What to Do in the First 7 Days After a Kiosk Scam

This is the action checklist. If you are reading this for someone else — a parent, a grandparent, a client — print it out and walk through it with them.

Hour 0 to 24: Stop, preserve, and report

  • Stop any further contact with the scammer. Do not answer return calls. Do not respond to texts. Do not click any new links they send.
  • Preserve every artifact. Save the kiosk receipt (transaction hash and destination address). Save the bank withdrawal slip. Save the scammer's phone number, every text or email, every screenshot of any fake browser pop-up or warning notice. Save voicemails. Do not retype any of this — the original artifact is the evidence.
  • File a local police report. Get the report number. You will need it for the bank, for any insurance claim, and for any civil action.
  • File an IC3 report at IC3.gov. File regardless of dollar amount.
  • Report to the kiosk operator's fraud line. Provide the destination wallet address and the transaction hash from the receipt. Request in writing that they preserve all KYC, transaction, and surveillance records related to the destination address.

Day 2 to 3: Notify the bank and protect remaining accounts

  • Notify the bank where the cash was withdrawn. They cannot reverse the cash withdrawal, but they may be able to flag the account, advise on dispute options, and intervene if the scammer attempts a follow-up against any other accounts.
  • Place a fraud alert on credit reports with all three bureaus (Equifax, Experian, TransUnion). Consider freezing credit.
  • Change every password. Especially email, banking, brokerage. Enable two-factor authentication on all of them. If the scammer obtained access to anything during the call (a remote-access tool, a screen share, an account login), assume that access is still live until you have verified it is not.

Day 3 to 5: Engage Adult Protective Services and the operator's compliance team

  • Adult Protective Services in the relevant state, if the victim is 60 or older. Many states are mandatory-reporter jurisdictions and APS may have additional resources or interventions available.
  • Written preservation request to the kiosk operator's compliance department, separate from the initial fraud report. The written request triggers the operator's formal preservation hold on records that would otherwise age off retention schedules.
  • Civil counsel consultation if the loss is significant. Even before any litigation decision, having counsel involved early establishes the chain of custody on the evidence and clarifies what subpoenas or freezes might be pursuable.

Day 5 to 7: Engage a blockchain forensic investigator if loss is material

  • Engage an independent blockchain forensic investigator for a scoping review. Typical threshold for engaging professional investigation is $5,000 or more in loss, though the calculation also depends on whether the loss is part of a recurring pattern or a one-time event.
  • The investigator's deliverable is the on-chain trace from the kiosk operator's settlement transaction forward to the off-ramp exchange, plus the attribution package law enforcement and civil counsel use to pursue the case. See our piece on how to hire a blockchain forensic investigator for what to look for.
  • Do not engage anyone who guarantees recovery. Within hours of the scam being reported anywhere public, the victim will likely be contacted by people claiming to be "recovery specialists" or "asset retrieval agents." They are running the secondary scam. See legitimate vs scam recovery services and a recovery service contacted me for the patterns to watch for.

For the broader post-scam framework that applies regardless of the specific channel, see what to do after a crypto scam. For families dealing with this on behalf of a parent, parent scammed by crypto: how to help is the closest companion piece. For the broader question of post-incident expectations, can you get crypto back after being scammed walks through what attribution and law enforcement action realistically deliver.

Need the trace done? Start with a free scoping call.

If a parent or family member was hit by a Bitcoin ATM scam, we will scope the trace from the kiosk receipt to the off-ramp exchange and tell you honestly what an evidence package can and cannot achieve in your specific case. Initial assessments are free and we respond within 24 hours.

Start a Free Case Review

Frequently Asked Questions

What is a Bitcoin ATM scam?
A fraud in which a victim is socially engineered — typically by a caller posing as law enforcement, a bank fraud investigator, a Social Security agent, or tech support — into withdrawing cash from their bank, driving to a cryptocurrency kiosk, and depositing the cash into a wallet address provided by the scammer. The kiosk converts the cash to Bitcoin (or USDT, ETH, depending on the operator) and sends it to the scammer's address. The transaction is irreversible the moment the kiosk's settlement transaction confirms on-chain. The FBI's IC3 logged approximately $333 million in losses to crypto kiosk fraud in 2025, with the vast majority of victims aged 60 and older.
Can you recover money from a Bitcoin ATM scam?
Direct recovery of funds from the on-chain destination is rare because the scammer typically moves the Bitcoin to an off-ramp exchange — usually Binance, OKX, or HTX in an Asia-Pacific region — within hours. What is realistically achievable is forensic attribution: tracing the funds from the kiosk operator's settlement wallet to the scammer's primary deposit, through the hop chain, and to the exchange deposit address. That on-chain evidence package, combined with the kiosk operator's retained KYC, is what law enforcement and civil counsel use to subpoena the exchange and pursue the scammer or, where applicable, claw funds from frozen exchange balances.
Why do Bitcoin ATM scams target older people?
FBI 2025 IC3 data shows roughly 86 percent of victims are 60 or older. The pattern reflects three things: older victims are more likely to answer unknown calls and engage with authority impersonators, more likely to have substantial bank balances available to withdraw, and less likely to have prior exposure to cryptocurrency mechanics — meaning the kiosk feels foreign and intimidating, which is exactly the disorientation the scammer's pressure script depends on.
What KYC information do Bitcoin ATM operators keep?
FinCEN-registered Money Services Businesses are required to collect and retain customer identification under the Bank Secrecy Act. In practice, on transactions above several hundred dollars the kiosk captures a scan of the user's driver license, a phone number that receives a verification code, a real-time selfie matched against the ID photo, a printed receipt with the transaction hash and destination wallet address, and surveillance camera footage from the kiosk and the host venue. This information is the foundation of the operator-side evidence package and is normally retrievable by law enforcement subpoena to operators like Bitcoin Depot, CoinFlip, RockItCoin, Athena Bitcoin, and CoinHub.
Are Bitcoin ATMs being banned?
Outright bans are rare but rising. Indiana enacted what is described as the first statewide ban on cryptocurrency kiosks in March 2026. More commonly, states have passed restriction-and-disclosure statutes: transaction limits for new customers, mandatory written warnings, mandatory refund windows for first-time users, registration and licensing of operators, and operator liability for inadequate fraud warnings. As of mid-2026, AARP and consumer advocacy groups identify roughly 29 states with kiosk-specific consumer protection laws either enacted or in advanced legislative stages.
How fast does a Bitcoin ATM transaction become irreversible?
Bitcoin transactions are functionally irreversible the moment they are mined into a confirmed block, which on the Bitcoin network averages about 10 minutes. Many operators batch user transactions and broadcast a settlement to the destination address within 5 to 30 minutes of the cash being inserted. From the moment the operator broadcasts, no party can reverse the transaction at the protocol level. What can happen post-broadcast is freezing of downstream value at a centralized exchange if the scammer deposits there and the exchange honors a law enforcement freeze request before the scammer withdraws.
Should I file a police report and an IC3 report after a kiosk scam?
Yes, both, and within 72 hours if possible. File a local police report (you will need it for any insurance, bank dispute, or civil action). File with the FBI Internet Crime Complaint Center regardless of the dollar amount — cumulative reports against the same wallet address eventually trigger federal aggregation. Notify the kiosk operator directly through their fraud reporting channel; they may be able to flag the destination address internally and freeze any additional victim deposits routed to it. Do not delete the receipt, the call log of the scammer, or any messages exchanged.
What is the difference between a Bitcoin ATM scam and other crypto scams?
Most crypto scams move funds wallet-to-wallet on the blockchain, where the victim's identity is just an address. A Bitcoin ATM scam is unusual because the entry point is a regulated, KYC-collecting physical machine with cameras and an operator that is a registered Money Services Business. That changes the forensic picture significantly: the victim side has corroborating identity records, location, and timestamp documented by a regulated entity, and the operator's hot wallet provides a clean starting point on-chain. The trace from kiosk settlement forward is structurally the same as any other on-chain trace, but the front end has more evidence than a typical pig butchering or romance scam case.

For the broader category of authority-impersonation scams that funnel into kiosks, see I think I am being scammed. For the post-incident framework that applies across all crypto scam types, see what to do after a crypto scam. For the broader pig-butchering category that increasingly uses kiosks as a deposit channel for the cash leg, see pig butchering scam recovery.

Zack Coffing

Founder of Wallet Witness. Independent blockchain forensic investigator specializing in crypto scam analysis, digital asset tracing, and litigation support. Based in the United States, serving victims and attorneys worldwide.