.png){kind=logo}
The FBI says malware-enabled ATM ‘jackpotting’ attacks increased across the United States in 2025, with criminals using physical access and malicious software to force cash machines to dispense money on demand.
In a FLASH alert, the bureau reported more than 700 jackpotting incidents in 2025 alone, contributing to more than $20 million in losses. More than 1,900 incidents have been reported since 2020, according to the same alert.
The FBI said attackers focus on the ATM device itself, which can make the theft hard to spot until after the cash leaves the machine.
The FBI said most attacks start with direct access to the ATM cabinet. Criminals often open the ATM face using widely available generic keys, then reach internal components that control the machine.
From there, attackers commonly remove the hard drive and connect it to another computer to load malware. Others replace the drive with a “foreign” hard drive or external device that already contains malware, then reboot the ATM to run the altered system.
The FBI warned that the Ploutus malware family remains a key tool in these cash-out attacks. The alert said Ploutus exploits eXtensions for Financial Services (XFS), the software layer that sends instructions between an ATM application and hardware like the card reader, keypad, and cash dispenser.
In normal operation, the ATM application sends commands through XFS as part of a bank-authorized transaction. The FBI said Ploutus lets attackers issue their own commands to XFS, which can bypass bank authorization and make the ATM dispense cash without using a bank card, customer account, or bank approval.
The FBI also said the malware interacts directly with ATM hardware and can work across different ATM manufacturers with limited changes, because attackers exploit the underlying Windows operating system during the compromise.
Federal prosecutors have tied some ATM jackpotting activity to organized criminal groups. In a December 2025 press release, the US Department of Justice said a federal grand jury returned two indictments charging 54 people for roles in a conspiracy that used malware to steal millions from ATMs.
The Justice Department said the indictment alleged that Tren de Aragua used jackpotting proceeds and moved funds among members and associates to conceal the origin of the cash.
An official statement in the release said the defendants used “methodical surveillance and burglary techniques to install malware into ATMs.”
The FBI urged ATM operators and financial institutions to strengthen both physical and technical controls. Recommended steps include replacing standard locks to reduce the risk posed by keys sold online, adding alarms or keypad controls for maintenance hatches, and improving camera coverage around ATMs.
On the technical side, the bureau recommended tighter auditing around removable storage, validating system integrity against a verified ‘gold image,’ and using hard drive encryption to reduce the chance that attackers can load malware onto a removed drive.
The FBI also suggested configuring ATMs to enter shutdown or ‘out of service’ mode when systems detect a confirmed combination of jackpotting indicators. For context, Europol has previously published guidance on ATM malware risks, which supports a broader industry push toward ATM hardening.
Also Read: Arizona Governor Vetoes Crypto Investment Bills, Signs Strict Bitcoin ATM Regulations
