ATM Jackpotting Attacks Using the Ploutus Malware Surge Across the US, FBI Warns
Published
Key Takeaways
- Significant Financial Loss: Thieves have stolen over $20 million from ATMs across the United States in the last year using sophisticated "jackpotting" techniques.
- Rapid Increase in Incidents: The FBI reports a sharp rise in these attacks, with more than 700 incidents recorded in 2025 alone, bringing the total to 1,900 since 2020.
- Malware-Driven Theft: Criminals deploy malware such as Ploutus to force machines to dispense cash on demand without bank authorization.
The Federal Bureau of Investigation (FBI) has issued a warning regarding a significant increase in ATM jackpotting attacks across the United States. Criminal groups are increasingly utilizing cyber-physical methods to compromise automated teller machines.
The data indicates a worrying trend: over 700 incidents with losses exceeding $20 million were reported in 2025, a sharp escalation compared to previous years, totaling 1,900 attacks since 2020.
Mechanics of Cyber-Physical ATM Attacks
These ATM attacks involve a blend of physical intrusion and digital manipulation. Perpetrators often gain initial access to the machine's internal components using generic keys or by physically forcing open the ATM face.
Once inside, they deploy malware, most notably Ploutus malware, via USB drives or by replacing the hard drive entirely. This specific malware targets the eXtensions for Financial Services (XFS) middleware, which banking applications use to communicate with hardware peripherals.
The bureau noted that while these attacks do not require a connection to a bank customer account to dispense cash and can be used across ATMs of different manufacturers, with very little code adjustment, the compromise exploits the Windows operating system.
“The malware interacts directly with the ATM hardware, bypassing any communications or security of the original ATM software,” the warning says.
Indicators of Compromise and Response
To combat this surge, the FBI has released technical indicators to help financial institutions identify compromised machines. Indicators include specific error messages, the presence of unauthorized USB devices, or evidence of tampering with the hard drive.
The bureau emphasizes that these ATM jackpotting attacks are often difficult to detect in real time, as the theft occurs at the machine level rather than through the banking network's transaction processing system.
In December, Tren de Aragua members were indicted in a multi-million-dollar ATM jackpotting scheme involving the same malware. In 2021, two Belarusian hackers were arrested in Poland for ATM jackpotting.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular