When Nation-States Target PLCs and Crypto ATMs Get Cleaned Out: A Rough Week for Critical Infrastructure

Page content

When Nation-States Target PLCs and Crypto ATMs Get Cleaned Out: A Rough Week for Critical Infrastructure

It’s been one of those weeks where you read the security headlines and wonder if we’re fighting a losing battle. Between Iran-backed hackers systematically targeting industrial control systems and a major crypto ATM operator losing $3.6 million to credential theft, it feels like we’re seeing the convergence of old-school industrial espionage with modern financial cybercrime.

Let me walk you through what happened and why it should concern all of us working in security.

Iran’s Systematic Attack on U.S. Industrial Systems

The most alarming story this week came from CISA’s warning about Iran-affiliated cyber actors targeting internet-facing operational technology devices across U.S. critical infrastructure. We’re not talking about opportunistic scanning here – this appears to be a coordinated campaign specifically going after programmable logic controllers (PLCs) that are exposed to the internet.

What makes this particularly concerning is the impact: CISA reported “diminished PLC functionality, manipulation of display data and, in some cases, operational disruption and financial loss.” When nation-state actors start messing with industrial control systems, we’re crossing a line from espionage into potential sabotage.

The fact that these attacks succeeded tells us something uncomfortable about our critical infrastructure security posture. PLCs shouldn’t be internet-accessible in the first place, but here we are. It’s the classic OT security problem – these systems were designed for reliability and ease of maintenance, not security. Many were connected to corporate networks (and by extension, the internet) without proper segmentation or monitoring.

Bitcoin Depot’s $3.6 Million Lesson in Credential Security

Meanwhile, in the financial sector, Bitcoin Depot got hit for $3.665 million when attackers breached their systems and stole credentials that gave them access to the company’s crypto wallets. According to SecurityWeek’s reporting, the attackers managed to transfer more than 50 bitcoin after stealing those credentials.

This one hits close to home for anyone managing financial systems. Bitcoin Depot operates one of the largest Bitcoin ATM networks in the U.S., so they should have had robust security controls around wallet access. The fact that stolen credentials were enough to drain millions suggests some fundamental gaps in their access controls and monitoring.

Think about your own environment – how many high-value systems could be compromised if an attacker got hold of the right credentials? Multi-factor authentication, privileged access management, and real-time monitoring aren’t nice-to-haves anymore; they’re essential controls for any system handling significant financial assets.

The Broader Pattern We’re Seeing

What connects these incidents isn’t just bad luck – it’s the ongoing challenge of securing systems that were designed in a different threat environment. PLCs were built when “air-gapped” actually meant something. Crypto platforms emerged in an ecosystem that prioritized innovation and user experience over security controls.

The Iran-backed attacks on industrial systems represent a escalation in how nation-states are willing to target civilian infrastructure. We’ve seen this playbook before with Russian attacks on Ukrainian power grids, but seeing it systematically applied to U.S. critical infrastructure should be a wake-up call for every organization running OT systems.

Hong Kong’s New Encryption Key Demands

There’s also a policy development worth noting: Hong Kong police can now force individuals to reveal encryption keys, even for people just transiting through the airport. Under revised National Security Law enforcement rules that took effect March 23, 2026, authorities can demand passwords or other assistance to access personal devices.

For those of us working for global organizations, this creates some serious operational security considerations. Business travel to Hong Kong now carries the risk of forced device compromise, which could expose corporate systems and data far beyond what travelers might realize.

What This Means for Our Work

These incidents reinforce a few key points we should all be thinking about:

First, the threat to industrial control systems is real and growing. If your organization operates any OT systems, network segmentation and monitoring need to be priorities, not future projects.

Second, credential theft remains one of the most effective attack vectors. The Bitcoin Depot incident shows that even well-funded organizations in the financial sector can fall victim to basic credential compromise attacks.

Finally, the geopolitical dimension of cybersecurity is becoming impossible to ignore. Whether it’s nation-state attacks on infrastructure or authoritarian governments demanding encryption keys, we’re operating in an environment where technical security decisions have political implications.

None of this is easy to solve, but acknowledging the scope of the challenge is the first step toward building more resilient systems.

Sources