Banks have spent years hardening their apps, encrypting databases, deploying fraud detection systems and taking other measures to protect against cyberattacks — and yet they appear to have overlooked those large metal boxes full of cash sitting everywhere, aka ATMs.
In 2025, criminals cracked 700 of these machines nationwide, marking a surprising spike in ATM attacks, according to the FBI, which has recorded around 1,900 incidents since 2020. These so-called “jackpotting” attacks cost banks upward of $20 million in losses last year and served as a potent reminder of the risks that under-secured ATMs still present to financial institutions.
More Than 90 Indicted Since December
Coinciding with the FBI advisory, the US Department of Justice announced that it had charged six Venezuelan nationals, ranging in age from 21 to 43, with conspiring to deploy malware on ATMs and steal millions of dollars from US banks. Since December 2025, US authorities have charged 93 individuals — including members of the notorious Tren de Aragua (TdA) group, which the US has designated as a Foreign Terrorist Organization — on charges related to ATM jackpotting. The maximum penalties upon conviction range from 20 years to 355 years in prison.
Jackpotting is an old attack technique where an adversary gains access to an ATM’s internal electronics and manipulates the device’s software or hardware into dispensing cash without the need for a bank account, an ATM card, or a PIN. Attackers have used various methods to do this, including replacing the ATM’s hard drive with a malware infected version, tampering with the drive or connecting the system to an external device to manipulate it. In some instances, attackers have compromised a central administrative system to distribute malware to target systems.
In many of the attacks that the FBI investigated last year, attackers infected targeted ATMs with malware that instructed the machines to empty their cash. The most common among them was Ploutus, a malware tool designed to exploit a layer of software called eXtensions for Financial Services (XFS) that ATMs use as part of the bank authorization process when a legitimate transaction occurs.
“If a threat actor can issue their own commands to XFS, they can bypass bank authorization entirely and instruct the ATM to dispense cash on demand,” the FBI said in its advisory. “Ploutus attacks the ATM itself rather than customer accounts, enabling fast cash-out operations that can occur in minutes and are often difficult to detect until after the money is withdrawn.”
Defending Against Ploutus ATM Malware
As with most jackpotting attacks, the FBI found threat actors copying Ploutus to ATM hard drives after first removing them from the device, or replacing an ATM’s hard drive with a completely different, weaponized one and then rebooting the ATM.
Diebold Nixdorf, one of the biggest players in the ATM space, has repeatedly highlighted the threat and offered both guidance and recommendations on the need for cooperation among stakeholders in the financial services sector to mitigate it. The company has noted how jackpotting attacks have increased since the COVID-19 pandemic and warned about organized crime groups being actively involved in of these attacks.
Its recommendations to banks and other operators of ATMs include limiting physical access to ATMs to ensure attackers can’t just pry them open to access the internals, using the strongest encryption protocols, keeping systems up to date, and setting up alarms when someone attempts to tamper with ATM hardware or software.
A Vulnerable Target
“ATM jackpotting attacks are increasing because many ATM environments remain vulnerable to basic exploitation techniques,” says Louis Eichenbaum, federal chief technology officer (CTO) at ColorTokens. These attacks typically do not require advanced capabilities, because they often exploit outdated software, weak remote access controls, and insufficient physical security.
“Many ATMs continue to operate on legacy operating systems that are difficult to patch and lack modern endpoint protections,” Eichenbaum says. “If an attacker gains physical access or compromises remote management services, they can install widely available malware and directly command the cash dispenser.”
What’s helping enable these attacks is the ready availability of security paraphernalia and generic ATM keys for opening up ATM panels, says Mayuresh Dani, security research manager at Qualys. Adding to that are the open source proof-of-concept projects that have reverse engineered XFS and document their inner workings, Dani says. “Cheap keys plus unattended ATMs at malls and gas stations make physical compromise logistically easy and repeatable.”
To better protect ATMs, security teams should consider replacing default locks and keys to protect sensitive internal ATM hardware from direct physical access. Just like operating system hardening, an ATM security stakeholder should add physical tamper-detection mechanisms and alarms, enforce TPM-backed secure boot and firmware integrity checks and enforce strict IP and application whitelisting so that only approved hosts can connect to an ATM and only approved binaries can execute on them, Dani says.
Eichenbaum also recommends ATM operators secure remote access with multifactor authentication, eliminate shared credentials, and enforce least privilege access. On the hardware side, he says, organizations should disable unused ports, enable BIOS protections, deploy application whitelisting, and install tamper detection.
