FBI warns of ATM jackpotting surge

The FBI is sounding the alarm over a surge in malware-enabled “jackpotting” attacks that let hackers force ATMs to spit out stacks of cash on command – no card or PIN required.

More than 700 ATM jackpotting attacks were reported in 2025 alone – with losses exceeding $20 million.
The malware targets the ATM itself, not customer accounts – allowing fast, on-site cash-outs that can empty a machine in minutes.
The FBI says physical access remains key – attackers often open machines with generic keys and swap out hard drives.

Key Takeaways by nexos.ai, reviewed by Cybernews staff.

An FBI Flash intelligence brief issued on Tuesday warns of a sharp rise in ATM jackpotting attacks reported across the country targeting US banks and credit unions over the past 12 months.

“Out of 1,900 ATM jackpotting incidents reported since 2020, over 700 of them with more than $20 million in losses occurred in 2025 alone,” the FBI states.

This Flash provides a dossier of technical details about the attacks – including indicators of compromise (IOCs) and mitigation tactics – so the public can stay informed and cyber defenders can harden their automated teller machines (ATMs).

The federal law enforcement agency says threat actors exploit both physical and software vulnerabilities embedded in machines, often directly on-site.

One of the more popular malware strains deployed by threat actors is the “Ploutus family malware,” described as a highly sophisticated, persistent, and evolving suite of malicious code, compatible with multiple ATM platforms and manufacturers.

First detected in 2013, the backdoor malware allows cybercriminals to “bypass bank authorization entirely" and then instruct the ATM to dispense cash on demand until the machine is empty.

“Ploutus attacks the ATM itself rather than customer accounts, enabling fast cash-out operations that can occur in minutes and are often difficult to detect until after the money is withdrawn,” the FBI explains.

atm-shooting-out-money — Cybercriminals deploy malware to bypass network security and instruct ATMs to spit out cash on demand. Image by Cybernews

How hackers hijack ATMs using Ploutus

Ploutus malware is designed to exploit XFS – a software framework used on Microsoft Windows systems that enables banking machines to communicate with their internal hardware.

Short for eXtensions for Financial Services, XFS is the middle software layer that tells the ATM’s hardware what to physically do during a legitimate transaction – such as reading a bank card, entering a PIN on a keypad, or dispensing cash.

The malware allows the hacker to bypass the authorization and issue their own commands to XFS, the FBI says.

Don't miss our latest stories on Google News

The attacks themselves are carried out on site, typically after the cybercriminals have staked out the physical security surrounding the ATMs.

Once the threat actor gains access to the target machine, they will break open the ATM face – most often using “widely available generic keys" – and remove the ATM's physical hard drive.

To infect the ATM, the threat actor either connects the hard drive to their own computer to install malware, putting the drive back in the ATM – or simply just replaces the drive with another already preloaded with malicious software.

Then, all the hackers have to do is reboot the ATM, and voilà, they have complete control over the cash-dispensing platform, without needing a bank card or customer account information to trigger an unauthorized withdrawal.

shadow-figure-bank — FBI warns of a rise in malware-enabled ATM jackpotting attacks across the US. Image by Cybernews.

What banks should watch for now

In late December, the US Department of Justice (DoJ) indicted 54 gang members of Tren de Aragua (TDA) for carrying out a spate of ATM jackpotting attacks using the Ploutus malware, netting the Venezuelan criminal group $40.73 million in stolen cash.

The TDA gang members were said to have “employed methodical surveillance and burglary techniques to install the malware, and then steal and launder money from the ATMs to fund terrorism and other criminal activities,” DoJ officials said at the time.

a-broken-ATM — Tren de Aragua gang members were indicted in December for carrying out hundreds of ATM jackpotting attacks. Image by Cybernews.

The FBI Flash is encouraging financial organizations to become familiar with ATM jackpotting IOCs, which include the following:

Digital indicators - executable files, associated files, scripts, new directories
Persistence mechanisms - abnormal autoruns, custom services
Physical interaction indicators - USB or unauthorized device insertion, ATM door open alerts, Low/No cash, removal of hard drives

The FBI says to report any suspicious activity to their local FBI field office or the Internet Crime Complaint Center., remembering to provide details such as the bank name, branch, location, and contact information, and ATM information, such as the manufacturer, make, and model.

Other helpful information to report will include the vendor name and contact information, as well as available logging.

Unlock more exclusive Cybernews content on YouTube.