ATM jackpotting attacks surge, thieves steal $20M via malware
Summary
ATM jackpotting attacks using malware like Ploutus stole over $20M last year, with 700+ incidents in 2025. Criminals physically access ATMs to install malware that forces cash dispensing. The FBI warns of rising cases and shares detection signs.
ATM jackpotting attacks surge in the US
Thieves stole more than $20 million from ATMs last year using a malware-assisted technique called jackpotting. The FBI warns these attacks are increasing across the United States.
In an ATM jackpotting attack, criminals exploit physical and software vulnerabilities to deploy malware that forces the machine to dispense cash without bank authorization. More than 700 of the 1,900 incidents reported since 2020 occurred in 2025 alone, according to a Thursday FBI security alert.
How the jackpotting attacks work
Criminals first gain physical access to the ATM using generic keys that open its front panel. They then infect the machine's computer with specialized malware.
This is done either by removing the ATM's hard drive to copy malware onto it, or by swapping the drive for one pre-loaded with malicious code. The malware targets the machine's core financial software.
The malware exploiting ATM systems
The attacks commonly use malware like Ploutus, which exploits the eXtensions for Financial Services (XFS) standard. XFS is an open API that allows banking software to operate across different vendors' ATM hardware.
Normally, XFS facilitates legitimate commands, like sending a transaction for bank authorization before dispensing cash. The malware hijacks this system, allowing attackers to issue their own commands and bypass authorization entirely to dispense cash on demand.
Financial impact and detection challenges
Unlike card skimming, these attacks do not directly steal customer card data or PINs. The financial loss falls entirely on banks and financial institutions.
However, the incidents are difficult to detect until after the cash is physically withdrawn, leading to tens of millions in losses. The FBI alert outlines several indicators of compromise to help institutions identify attacks.
Key indicators of a compromised ATM
The FBI's alert lists specific digital and physical signs that an ATM may be infected with jackpotting malware. Key indicators include:
- Specific malicious executable files, scripts, and associated files on Windows-based ATMs.
- Event log IDs that appear when unauthorized USB storage devices are inserted.
- Physical tampering, such as removed hard drives or unauthorized devices plugged into the machine.
- The ATM failing to indicate it is out of cash when it should be empty.
How to report suspected jackpotting
The FBI urges anyone who observes suspicious activity or signs of ATM jackpotting to report it immediately. Reports can be filed with a local FBI field office through the FBI website or directly with the FBI's Internet Crime Complaint Center (IC3).
Prompt reporting is critical to investigating these crimes and mitigating further financial losses across the banking system.
Related Articles
Your Email Is Likely on the Dark Web. Here's What to Do.
Your email on the dark web likely came from a data breach. Don't panic; it's common. Change passwords, enable two-factor authentication, and monitor accounts. Use email aliases to prevent future exposure.
23andMe Data Breach Settlement Deadline Is February 17, 2026
If affected by 23andMe's 2023 data breach, you can claim compensation until Feb. 17, 2026. Payouts range up to $10,000 for severe cases or $165 for leaked health data, plus identity monitoring. File online via the settlement website.
Stay in the loop
Get the best AI-curated news delivered to your inbox. No spam, unsubscribe anytime.
