The Federal Bureau of Investigation (FBI) has raised concerns over a surge in ATM jackpotting incidents nationwide, which have resulted in financial losses exceeding $20 million in 2025 alone. Since 2020, there have been 1,900 reported cases of such attacks, with 700 occurring in the past year. In December 2025, the U.S. Department of Justice (DoJ) reported that a total of $40.73 million has been lost to these attacks since 2021.
Understanding the Jackpotting Threat
ATM jackpotting involves cybercriminals exploiting both physical and software vulnerabilities in ATMs, often by deploying malware to dispense cash unlawfully. The FBI, in a recent bulletin, highlighted that threat actors use sophisticated malware, such as Ploutus, to gain unauthorized control over ATM systems. Commonly, attackers access machines using widely available generic keys, allowing them to open the ATM face and inject the malware.
The malware is usually installed by either removing the ATM’s hard drive and connecting it to an attacker’s computer or replacing it with a foreign drive preloaded with malicious software. Once installed, the malware interacts directly with ATM hardware, bypassing the existing security measures of the original software. This enables the malware to operate across various ATM models with minimal code modifications, exploiting the Windows operating system.
Mechanics of Malware Deployment
First observed in Mexico in 2013, Ploutus has evolved to provide cybercriminals with full control over ATMs, facilitating rapid and undetectable cash withdrawals. According to the FBI, the malware manipulates the eXtensions for Financial Services (XFS) software, which directs ATM actions. By issuing unauthorized commands through XFS, attackers can bypass the usual bank authorization process, making it possible to dispense cash on demand.
This sophisticated attack method requires no bank card or customer account interaction, significantly increasing its effectiveness and reach. The FBI emphasized the urgency of understanding these tactics to implement effective countermeasures.
Preventive Measures and Recommendations
In response to the growing threat, the FBI has suggested several strategies to mitigate the risks associated with ATM jackpotting. Key recommendations include enhancing physical security by installing threat sensors, security cameras, and replacing standard locks on ATM devices. Additionally, financial institutions are advised to audit ATM devices regularly, change default credentials, and configure automatic shutdowns when compromise indicators are detected.
Further measures involve enforcing device allowlisting to prevent unauthorized connections and maintaining comprehensive logs for monitoring purposes. These steps aim to bolster security protocols and reduce the vulnerability of ATMs to jackpotting attacks.
As cyber threats continue to evolve, it is imperative for organizations to remain vigilant and proactive in safeguarding their financial assets against such sophisticated criminal activities.
