Bitcoin Depot Reports Material Cybersecurity Breach, $3.7M In Bitcoin Stolen; Investigation Underway, Incident Believed Contained To Corporate Environment; No Impact On Customer Platforms; Incident Has Not Had Material Impact On Company Operations As Of April 6, 2026

On March 23, 2026, Bitcoin Depot Inc. (the "Company") discovered that an unauthorized party gained access to certain of its information technology systems. Upon detection, the Company promptly activated its incident response protocols, engaged external cybersecurity experts, and notified law enforcement. Based on the Company's investigation to date, the unauthorized actor gained access to certain systems and obtained control of credentials associated with the Company's digital asset settlement accounts. As a result, the unauthorized actor transferred approximately 50.903 Bitcoin from Company-controlled wallets, valued at approximately $3.665 million as of the date of this report, without authorization. The Company further believes that the incident was contained to the Company's corporate environment and did not affect the Company's customer platforms, divisions, systems, data or environments.

The Company continues to investigate the nature and scope of the incident with the assistance of third-party specialists. As part of its remediation efforts, the Company is working with its outside cybersecurity experts to further reinforce its information technology systems and to prevent future unauthorized access. The Company has not identified evidence that customer personally identifiable information was accessed or exfiltrated in connection with the incident; however, the investigation remains ongoing.

As of the date of this Current Report on Form 8-K, the incident has not had a material impact on the Company's operations. On April 6, 2026, the Company nevertheless determined that the incident is material in light of potential consequences of the incident, including reputations harm, legal, regulatory and response costs. The Company believes that the incident is not reasonably likely to have a material impact on the Company's financial condition or results of operations but has not yet determined the full impact of the incident. The Company has recorded a preliminary estimate of loss of approximately $3.665 million, representing the fair value of the Bitcoin transferred without authorization as of the date of the incident. The ultimate impact may differ from this estimate as the investigation continues. The Company maintains insurance coverage that may cover certain losses associated with cybersecurity incidents, but there can be no assurance that such coverage will be sufficient to recover any or all losses incurred as a result of this incident.