ATM Malware Attacks Result In Loss Of $20 Million In 2025
In 2025 and early 2026, law enforcement and cybersecurity agencies in the United States have sounded repeated alarms over the rise of sophisticated ATM "jackpotting" attacks, incidents in which threat actors use malware and physical access to force automated teller machines to dispense cash illegally.
The phenomenon has cost financial institutions tens of millions of dollars and prompted an aggressive response from the Federal Bureau of Investigation (FBI), the Department of Justice (DoJ), and other agencies, illustrating how cybercrime has evolved into a potent combination of physical intrusion and malicious software exploitation.
At the core of many of these schemes is a family of malicious code known as Ploutus malware, which enables attackers to take control of the ATM's internal systems and instruct it to deliver cash on demand; all without a legitimate transaction, card, or customer account. First detected in Mexico in 2013, Ploutus has been observed in multiple variants and has long been recognized as a tool for ATM jackpotting.
It targets the Extensions for Financial Services (XFS) middleware that most ATM systems use to interface with hardware, allowing attackers to bypass the machine's standard authorization logic. Unlike traditional cyberattacks that focus on stealing sensitive data, Ploutus and similar malware target the cash-dispensing mechanisms themselves.
According to an FBI flash alert released in February 2026, the bureau has documented nearly 1,900 jackpotting incidents in the United States since 2020, with more than 700 of those occurring in 2025 alone. Those attacks resulted in over 20 million USD in stolen cash, a staggering figure that highlights both the scale and rapid growth of the problem. The alert was accompanied by technical indicators of compromise (IOCs) and recommended mitigation practices aimed at financial institutions, law enforcement partners, and private cybersecurity teams.
The mechanics of these attacks vary depending on the attacker's approach, but they all begin with physical access to the ATM. In most documented cases, threat actors force open an ATM's maintenance compartment using widely available generic keys, remove the machine's hard drive, and either infect the original drive with malware or replace it with a preloaded drive containing malicious software.
Once the compromised drive is reinstalled and the machine is rebooted, the Ploutus malware interacts directly with the ATM's hardware, overriding its legitimate software and allowing attackers to issue commands that trigger unauthorized cash withdrawals. These operations can be completed in minutes and often go unnoticed until the cash has already been taken.
The FBI alert also made clear that jackpotting attacks do not target customer accounts or cardholder data. Instead, they exploit system-level vulnerabilities in the ATM itself, meaning that bank customers are generally not the direct victims of financial loss. The losses are absorbed by banks, credit unions, and ATM operators.
This indirect impact does not diminish the threat's seriousness, as the financial losses and damage to institutional trust are substantial. Moreover, because many ATMs still run older versions of Windows or other legacy software, they are attractive targets for attackers.
In response to this surge in criminal activity, the U.S. Department of Justice has pursued aggressive legal action against those suspected of organizing and executing these schemes. Over the past several months, federal prosecutors have brought charges against dozens of individuals, many tied to the Venezuelan criminal gang Tren de Aragua, which the U.S. Treasury's Office of Foreign Assets Control designated as a Foreign Terrorist Organization in December 2025. This designation reflects the breadth of activities in which the group is implicated, extending beyond traditional crimes into coordinated cyber-enabled financial theft.
US Court Charges 31 Accused of ATM Jackpotting
In January 2026, a Nebraska federal grand jury returned an indictment charging 31 additional defendants tied to a large ATM jackpotting conspiracy that used Ploutus malware to steal millions of dollars from ATMs across the United States. That indictment was part of a broader law enforcement task force operation that had already resulted in charges against 56 other individuals, bringing the total number of people charged in connection with the scheme to 87.
The charges include conspiracy to commit bank fraud, bank burglary, computer fraud, and intentional damage to protected systems. Many of the defendants are Venezuelan or Colombian nationals, and if convicted, could face decades in prison.
In addition to these federal indictments, prosecutors in South Carolina secured convictions in related cases, with two Venezuelan nationals sentenced for their roles in similar jackpotting schemes. These defendants will be deported after serving their sentences, underscoring the international dimension of this criminal enterprise and the cooperation between immigration and law enforcement authorities in addressing it.
The investigative efforts reflect not only the severity of jackpotting crimes but also the complexity of responding to threats that blend physical intrusion with malware deployment. Prosecutors and cybersecurity professionals alike have emphasized that defending against these attacks requires both technical and physical security controls.
According to the FBI's flash alert, effective mitigations include monitoring for unauthorized use of removable storage devices; validating the integrity of ATM software "gold images" to detect unauthorized changes; enhancing physical security around ATM cabinets; deploying sensors and alarms; and routinely auditing system logs for unexpected activity. In short, defending against jackpotting demands an integrated approach that brings together physical security, endpoint protection, and threat intelligence, a significant challenge for many financial institutions.
Experts have also noted that as jackpotting techniques evolve, so too have the tools attackers use. Ploutus malware has been observed in multiple variants over the years, and its continued presence in high-profile cases demonstrates that criminal groups are refining their capabilities rather than abandoning them. This evolution underscores a broader trend in cybercrime: specialized malware families are repurposed and adapted over time to exploit new vulnerabilities, whether in software stacks or operational practices.
The spotlight on ATM jackpotting has had a ripple effect throughout the cybersecurity community. Financial institutions and ATM manufacturers are being urged to reexamine their security posture, particularly given the continued use of legacy operating systems and outdated middleware that remain prevalent in many deployments. There is also a heightened emphasis on cross-industry collaboration and information sharing, recognizing that siloed defenses are less effective against coordinated, adaptive criminal networks.
Despite these efforts, shortcomings persist. Many ATMs across the U.S. continue to run software that is no longer actively supported with security updates, leaving them vulnerable to exploitation. All the while, law enforcement actions may deter some actors, but the underlying incentives, large amounts of cash contained within ATMs, and the relative anonymity of cash transactions, remain strong drivers for criminal innovation. As such, cybersecurity professionals argue that the industry must treat jackpotting not as an isolated anomaly but as part of a continuum of threats that blends physical and digital attack vectors.
Ultimately, the surge in ATM jackpotting and the corresponding legal actions against those responsible illustrate a critical juncture in the fight against financially motivated cybercrime. With millions of dollars lost, hundreds of incidents logged, and dozens of suspects indicted, the stakes are high for both defenders and attackers. How effectively financial institutions and law enforcement continue to adapt their strategies will likely shape the ATM security landscape for years to come.
Share:
Facebook
X.com
LinkedIn
Copy Link
Karolis Liucveikis
Experienced software engineer, passionate about behavioral analysis of malicious apps
Author and general operator of PCrisk's News and Removal Guides section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over 8 years working in this branch. He attended Kaunas University of Technology and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications.
PCrisk security portal is brought by a company RCS LT.
Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
DonatePCrisk security portal is brought by a company RCS LT.
Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
Donate
▼ Show Discussion