What Happened
On May 18, 2026, Bitcoin Depot Inc. filed a voluntary petition for reorganization under Chapter 11 of the US Bankruptcy Code in the United States Bankruptcy Court for the Southern District of Texas. The Atlanta-based company, which operated the largest Bitcoin ATM network in North America by market share, simultaneously took its entire fleet of approximately 9,000 kiosk locations offline. CEO Alex Holmes stated in the official press release that 'the regulatory environment for Bitcoin ATM operators has shifted significantly, with states imposing increasingly stringent compliance obligations, new transaction limits, and in some jurisdictions outright restrictions or bans on BTM operations.' The company plans to effect an orderly wind-down of operations and facilitate a sale of its assets under court supervision.
Bitcoin Depot's collapse is the largest failure in the Bitcoin ATM industry's history. The company had operated since 2016 with a mission to connect cash-preferring users to Bitcoin through retail kiosk locations in 47 US states and through its BDCheckout product at thousands of name-brand retail stores in 31 states. At peak operation it claimed the largest North American market share in a segment that, by Bitcoin Depot's own disclosures, had been contracting under regulatory pressure for more than a year. Nasdaq-listed shares (ticker: BTM) crashed approximately 70% in pre-market trading following the filing.
The Compliance Ratchet That Killed the Business
The proximate cause is visible in Bitcoin Depot's Q1 2026 financials. Revenue fell 49% year-over-year to approximately $83.5 million. The decline began after states started imposing daily transaction limits, some as low as $500 per day, while simultaneously requiring ATM operators to meet bank-grade KYC and anti-money laundering standards. Bitcoin Depot responded in February 2026 by rolling out a universal identity verification system across its entire network. Every transaction, regardless of size, now required the user to scan a government-issued ID and complete a biometric confirmation step before the transaction could proceed.
The upgrade did not save the business. It likely accelerated its decline. The users most likely to use a Bitcoin ATM, those who prefer cash, those without convenient banking access, those who value the pseudonymity of a cash transaction, are also the users most likely to abandon a service that now demands the same identity verification a bank account requires while restricting transaction sizes to amounts smaller than most bank accounts permit. The compliance ratchet produced a product that required bank-grade KYC while offering cash-machine-grade convenience and transaction limits. Neither the users who came for convenience nor the users who came for privacy had a reason to stay. The attorneys general of Massachusetts and Iowa added pressure from a different direction, filing separate civil lawsuits alleging that Bitcoin Depot kiosks had facilitated crypto scams targeting elderly and financially vulnerable users. Combined with the state-level regulatory restrictions, the litigation created an operating environment the company's revenue could not sustain.
The KYC Database as Bankruptcy Asset
When a company files for Chapter 11, its assets become property of the bankruptcy estate. Tangible assets (kiosks, leases, equipment) and intangible assets (software, brand, customer data) are catalogued, valued, and eventually sold to satisfy creditor claims. Bitcoin Depot's customer data, including government-issued identification documents, biometric confirmation records collected since February 2026, phone numbers, email addresses, and transaction histories from hundreds of thousands of users across its operating history, is an intangible asset with real market value to data brokers, financial services companies, and potentially to other ATM operators seeking a customer list.
The data exposure risk from a bankruptcy asset sale is structurally different from a conventional data breach. A hack takes data without authorization and the company at least characterizes itself as the victim. A bankruptcy asset sale transfers data through a court-supervised process with full legal authority to a buyer who may have completely different data practices. The buyer of Bitcoin Depot's assets becomes the custodian of whatever personal information Bitcoin Depot collected. Federal bankruptcy courts have applied no consistent standard for protecting consumer privacy in such sales. In some prior tech-company bankruptcies, courts imposed buyer restrictions on consumer data use. In others, data transferred without restriction. The treatment here will depend on whether any party (a state attorney general, the FTC, a privacy advocacy group, or an individual customer) raises the issue formally in the proceedings before the sale closes.
This risk has already partially materialized once. Bitcoin Depot disclosed in July 2025 that a June 2024 external system breach had exposed the personal information of approximately 27,000 customers, including names, phone numbers, driver's license numbers, birth dates, and email addresses. That breach was the unauthorized version. The bankruptcy asset sale is the authorized version, covering a database that grew substantially after the February 2026 biometric rollout. The biometric data category, specifically the facial confirmation images and liveness checks Bitcoin Depot collected, introduces a data type that most existing customer-data transfer frameworks were not designed to address.
What This Means for You
If you have used Bitcoin Depot ATMs at any point in the company's operating history, the first concrete step is to understand what data you provided. Any transaction completed through universal ID verification after February 2026 left a biometric record and a government ID scan in Bitcoin Depot's systems. Any transaction that required phone verification or email confirmation created a record linking your phone number or email to a transaction timestamp and amount. That record is now in a bankruptcy estate. Monitor your email and phone number for phishing attempts that reference your ATM transaction history, since that data now has an uncertain custodian.
If you hold Bitcoin in a Bitcoin Depot-issued wallet or any instrument issued directly by the company (distinct from Bitcoin purchased at an ATM and transferred to your own hardware wallet), treat that as an urgent action item. The company's operations are shut down. Any custodial holdings at a company that has ceased operations are at risk in the liquidation process. Contact the bankruptcy court's case docket for the Southern District of Texas to monitor the asset sale timeline.
For readers who have never used Bitcoin Depot, the structural lesson is about the on-ramp and the record it creates. Bitcoin purchased through a KYC-compliant on-ramp and moved to a hardware wallet you control has the right structure: the KYC record exists at the point of purchase, but the asset stays under your key control no matter what happens to the on-ramp. Bitcoin purchased through non-KYC peer-to-peer channels (Bisq, HodlHodl, direct cash trades with a trusted counterparty) creates no such record at all. Each method has different tradeoffs. The Bitcoin Depot bankruptcy illustrates what a KYC record becomes when the on-ramp that created it enters the legal system: a transferable asset, a data breach vector, and an item in an estate sale. The compliance ratchet that killed the business model did not eliminate the data. It transferred it to a bankruptcy proceeding.
What to Watch
Watch the bankruptcy court docket for the asset sale terms, specifically whether the sale includes any buyer restrictions on the use of the KYC database or whether biometric data is carved out or disposed of separately. Whether any state attorney general, the FTC, or a privacy advocacy organization intervenes in the proceedings to impose data-protection conditions before the sale closes is the next signal to track. Other Bitcoin ATM operators (Coinstar's Coinme, LibertyX, Coinhub) bear watching for similar financial pressure given that Bitcoin Depot's filing signals the state regulatory environment is lethal for this business model at scale. A related question is whether the FTC or state privacy regulators assert any jurisdiction over the disposition of biometric confirmation data specifically, since Bitcoin Depot's February 2026 biometric rollout introduced a data category that most existing customer-data transfer frameworks were not designed to address. And watch whether the bankruptcy produces any clarity on what happened to the June 2024 breach data, since the chain of custody for that data becomes relevant again when the entire company's records change hands.