Crims hit a $20M jackpot via malware-stuffed ATMs
Summary
ATM jackpotting attacks using malware like Ploutus stole over $20M last year, with 700+ incidents in 2025. Criminals physically access ATMs to install malware that forces cash dispensing. The FBI warns of rising cases and shares detection signs.
ATM jackpotting attacks surge in the US
Thieves stole more than $20 million from ATMs last year using a malware-assisted technique called jackpotting. The FBI warns these attacks are increasing across the United States.
In an ATM jackpotting attack, criminals exploit physical and software vulnerabilities to deploy malware that forces the machine to dispense cash without bank authorization. More than 700 of the 1,900 incidents reported since 2020 occurred in 2025 alone, according to a Thursday FBI security alert.
How the jackpotting attacks work
Criminals first gain physical access to the ATM using generic keys that open its front panel. They then infect the machine's computer with specialized malware.
This is done either by removing the ATM's hard drive to copy malware onto it, or by swapping the drive for one pre-loaded with malicious code. The malware targets the machine's core financial software.
The malware exploiting ATM systems
The attacks commonly use malware like Ploutus, which exploits the eXtensions for Financial Services (XFS) standard. XFS is an open API that allows banking software to operate across different vendors' ATM hardware.
Normally, XFS facilitates legitimate commands, like sending a transaction for bank authorization before dispensing cash. The malware hijacks this system, allowing attackers to issue their own commands and bypass authorization entirely to dispense cash on demand.
Financial impact and detection challenges
Unlike card skimming, these attacks do not directly steal customer card data or PINs. The financial loss falls entirely on banks and financial institutions.
However, the incidents are difficult to detect until after the cash is physically withdrawn, leading to tens of millions in losses. The FBI alert outlines several indicators of compromise to help institutions identify attacks.
Key indicators of a compromised ATM
The FBI's alert lists specific digital and physical signs that an ATM may be infected with jackpotting malware. Key indicators include:
- Specific malicious executable files, scripts, and associated files on Windows-based ATMs.
- Event log IDs that appear when unauthorized USB storage devices are inserted.
- Physical tampering, such as removed hard drives or unauthorized devices plugged into the machine.
- The ATM failing to indicate it is out of cash when it should be empty.
How to report suspected jackpotting
The FBI urges anyone who observes suspicious activity or signs of ATM jackpotting to report it immediately. Reports can be filed with a local FBI field office through the FBI website or directly with the FBI's Internet Crime Complaint Center (IC3).
Prompt reporting is critical to investigating these crimes and mitigating further financial losses across the banking system.
Related Articles
HackerOS is what a Linux enthusiast’s OS should be
HackerOS is a versatile Debian-based Linux distribution with multiple editions for different users. It includes unique features like a helpful ZSH terminal and fun "hacker" commands, making it appealing for both regular users and enthusiasts.
Rising identity complexity: How CISOs can prevent it from becoming an attacker’s roadmap
Identity has evolved from simple usernames to include machines, APIs, and cloud services, massively expanding the attack surface. Modern IAM must shift from administration to active defense, focusing on continuous posture assessment, attack path analysis, and automated response to prevent breaches.
Stay in the loop
Get the best AI-curated news delivered to your inbox. No spam, unsubscribe anytime.