The Federal Bureau of Investigation (FBI) in a new warning cautioned a sharp increase in ATM jackpotting incidents across the United States.
According to the FBI advisory, more than 1,900 ATM jackpotting incidents have been reported since 2020, with over 700 cases occurring in 2025 alone, resulting in losses exceeding $20 million.
The agency stated threat actors are exploiting both physical and software vulnerabilities in ATMs to deploy malware that forces machines to dispense cash without legitimate transactions.
Unlike traditional banking fraud, ATM cyberattacks of this kind bypass customer accounts entirely, allowing attackers to extract cash within minutes.
Ploutus Malware Driving New Wave of ATM Jackpotting Attacks
The FBI identified ATM jackpotting malware, particularly the Ploutus family, as a major driver behind the surge in attacks. The malware targets the eXtensions for Financial Services (XFS) software layer, which controls ATM hardware functions.
Once installed, Ploutus malware allows attackers to send commands directly to the cash dispenser, bypassing bank authorization systems.
Security researchers and agencies have tracked this malware for years. Experts previously noted that Ploutus is “one of the most advanced ATM malware families” observed in financial cybercrime campaigns.
First detected in 2013 by Symantec, the malware was initially used in large-scale attacks across Mexico before its global expansion. Over time, attackers have adapted the tool to work across multiple ATM vendors, including systems from Diebold Nixdorf.
The FBI noted that these attacks focus on the ATM hardware itself rather than bank networks, making them harder to detect through traditional cybersecurity monitoring.
Physical Access Still a Key Entry Point in ATM Jackpotting
One of the most concerning findings in the FBI alert is how often attackers rely on physical access to deploy ATM jackpotting malware.
Threat actors commonly:
- Open ATM panels using widely available generic keys
- Remove or replace hard drives with infected versions
- Connect external devices such as USB drives or keyboards
Because many ATMs still run Windows-based environments, attackers can execute malicious files directly after gaining physical access.
The FBI also listed several indicators of compromise, including unauthorized remote access tools such as AnyDesk or TeamViewer and suspicious executable files placed on ATM systems.
This highlights a recurring issue in ATM security vulnerabilities, cyber defense alone is not enough without strong physical controls.
Law Enforcement Links ATM Jackpotting to Organized Crime
The FBI warning comes shortly after the United States Department of Justice indicted dozens of individuals connected to a coordinated ATM jackpotting scheme targeting credit union ATMs.
According to the indictment, between February 2024 and December 2025, attackers stole at least $5.4 million from 63 ATM machines, with another $1.4 million in attempted theft blocked.
Investigators found that attackers surveyed ATM locations in advance, testing alarm systems before launching malware-based cash-out operations. In one case, a credit union in Kearney, Nebraska, reportedly lost nearly $300,000.
These cases reinforce that ATM jackpotting is no longer a niche cybercrime tactic but part of organized financial crime networks.
Surge in ATM Jackpotting Demands Stronger Security Controls
The FBI emphasized that institutions must strengthen both physical and technical defenses to counter rising ATM cyberattacks. Recommended mitigation steps include hardware monitoring, device whitelisting, disk encryption, and strict audit logging.
A key recommendation is maintaining a verified “gold image” baseline for ATM software to quickly detect unauthorized changes—a method increasingly considered essential against Ploutus malware campaigns.
The increase in ATM jackpotting incidents reflects a broader shift in cybercrime strategy. Instead of attacking complex banking systems, threat actors are targeting simpler but overlooked endpoints like ATMs.
As malware becomes easier to deploy and physical vulnerabilities persist, financial institutions face a growing reality: ATM security is now a frontline cybersecurity challenge, not just an operational concern.
