The FBI’s recent reports are saying that ATM jackpotting incidents have gone all the way up all the way in the States. In a FLASH alert issued last week, the bureau reported that out of 1,900 incidents recorded since 2020, more than 700 took place in 2025 alone. Losses last year exceeded $20 million.
The alert refers to jackpotting as a crime in which attackers use malware to force cash machines to dispense money without a legitimate transaction. The FBI said threat actors exploit physical and software weaknesses in ATMs, often gaining access to the machine itself before installing malicious code.
A day later, the United States Department of Justice announced that 6 more defendants had been charged in what prosecutors call an international ATM jackpotting scheme. That brings the total number of charged defendants to 93.
According to the Justice Department, the overall loss to victim financial institutions is over $6 million, with at least an additional $1.74 million attempted. Each jackpotting attempt caused losses in excess of $100,000.
How Does The Malware Work?
The FBI said attackers are deploying malware from the Ploutus family to infect ATMs. Ploutus targets the eXtensions for Financial Services, known as XFS, which tells the machine what to do physically.
During a legitimate withdrawal, the ATM application sends instructions through XFS for bank authorisation. If an attacker issues commands to XFS, they can bypass authorisation and order the machine to release cash. The malware does not require a bank card, customer account or approval from a financial institution.
The bureau said Ploutus attacks the ATM itself rather than individual customer accounts. Once installed, it gives the attacker control over the machine. Cash can be taken within minutes, often before the bank detects the breach.
In many cases, attackers gain entry using generic keys that can be bought online. They remove the hard drive, copy malware onto it, reinstall it and reboot the ATM. In other cases, they swap the hard drive for another device preloaded with malicious software.
More from News
- Is Meta Discontinuing Its “Messenger” Platform?
- Fashion Week 2026: How Are Fashion Brands Marketing Themselves?
- One In Four Brits Don’t Feel Confident Investing: What Is Holding Them Back?
- What Does Spain’s Move To Probe Major Social Networks Mean For EU Internet Safety?
- Is Decentralisation Making Crypto Hard to Police?
- How Are UK Schools Managing Students’ Screen Time This Year?
- Could Trump’s Tariffs Trigger A UK Payments Reset? British Banks Discuss Visa And Mastercard alternatives
- Is Fanvue Having The Craziest Q1 In European Tech Right Now?
Who Is Accused Of Carrying Out The Attacks?
Court documents from the Justice Department allege that Tren de Aragua, described as a violent transnational criminal organisation that originated as a prison gang in Venezuela in the mid 2000s, carried out jackpotting attacks across the United States.
An indictment returned in December last year alleged that members used jackpotting to steal millions of dollars and transfer proceeds among associates to conceal illegally obtained cash. Charges across the indictments include conspiracy to commit bank fraud, conspiracy to commit bank burglary and computer fraud, money laundering and providing material support to a designated foreign terrorist organisation.
If convicted, defendants face maximum penalties ranging from 20 to 335 years in prison. An indictment is an allegation and all defendants are presumed innocent until proven guilty in court.
What Warning Signs Should Banks Watch For?
The FBI listed technical and physical indicators that may point to an attack. On Windows based ATMs, unexpected executable files such as Newage.exe, Color.exe, Levantaito.exe, NCRApp.exe, sdelete.exe, Promo.exe, WinMonitor.exe, WinMonitorCheck.exe and Anydesk1.exe may suggest compromise.
Suspicious files such as C.dat, Restaurar.bat and Logcontrol.txt may also appear. The presence of remote connection software such as TeamViewer or AnyDesk without authorisation raises suspicion.
Physical signs include ATM doors opening outside scheduled maintenance times, low or no cash alerts outside normal usage patterns, unauthorised devices plugged into the machine and removal of hard drives. USB insertion events logged as Event ID 6416 and file access events logged as Event ID 4663 may also appear during an attack.
The FBI recommends that financial institutions verify file hashes against a known gold image of approved software and treat any deviation as a potential compromise. It also urges banks to report suspicious activity to local field offices or the Internet Crime Complaint Centre.
