FBI Adds Cyber Criminal Anibal Canelon Aguirre to Ten Most Wanted List for ATM Jackpotting
FBI Adds Cyber Criminal to Most Wanted for ATM Jackpotting Scheme

FBI Elevates Cyber Criminal to Ten Most Wanted List in Unprecedented Move

In a significant announcement, FBI Omaha Special Agent in Charge Eugene Kowel and U.S. Attorney for the District of Nebraska Lesley Woods revealed that Anibal Alexander Canelon Aguirre has been added to the FBI's prestigious Ten Most Wanted Fugitives list. This marks the first time a cyber criminal has been featured on this list, highlighting the escalating threat of digital financial crimes.

International Conspiracy to Fund Terrorism Through ATM Jackpotting

Canelon Aguirre is accused of orchestrating a large-scale international conspiracy that deployed crews to the United States to steal millions of dollars from financial institutions. The illicit funds were allegedly funneled to support Tren de Aragua (TdA), a designated foreign terrorist organization. Since at least January 2024, the conspiracy has engaged in ATM jackpotting, a sophisticated scheme where malware is installed on ATMs to force unauthorized cash withdrawals.

The stolen money then flows through a complex money laundering network, enriching Canelon Aguirre and his associates while financing terrorist activities. This case underscores the growing nexus between cyber crime and global terrorism, with financial institutions becoming prime targets.

Wide Pickt banner — collaborative shopping lists app for Telegram, phone mockup with grocery list

Rise of Malware-Enabled ATM Jackpotting Across the United States

According to an FBI alert, criminals are increasingly using ATM jackpotting malware, including variants of the Ploutus family, to infect ATMs and dispense cash unlawfully. Ploutus malware exploits the eXtensions for Financial Services (XFS), a software layer that controls ATM hardware operations. By bypassing standard bank authorization processes, the malware interacts directly with ATM hardware, allowing cash withdrawals without accessing legitimate customer accounts.

Common Methods Used to Infect ATMs:

  • Threat actors gain physical access to ATMs, often using generic keys to open the ATM face.
  • They remove the ATM's hard drive, connect it to a computer, copy malware onto it, reinstall the drive, and reboot the ATM.
  • Alternatively, they replace the hard drive with a foreign device preloaded with malware before rebooting the system.

This malware can be adapted across ATMs from different manufacturers with minimal code adjustments, primarily by exploiting the Windows operating system vulnerabilities. The FBI warns that these attacks bypass traditional network-based security measures, making detection challenging.

FBI Recommendations for Enhanced ATM Security

To combat ATM jackpotting, the FBI advises banks and financial institutions to implement rigorous validation steps during incident response. Key measures include:

  1. Confirming file hashes match the organization's verified baseline to detect unauthorized changes.
  2. Deploying ATMs from a controlled "gold image" containing cryptographically verified executables, libraries, and configuration files approved by vendors and institutions.
  3. Treating any deviation from baseline hashes, such as unsigned or newly introduced binaries, as a potential compromise.

Maintaining and routinely validating system integrity against a gold image is emphasized as one of the most effective defenses against ATM-targeted malware. This approach helps identify locally introduced files that evade conventional detection methods.

Arrest Warrant and Legal Charges Against Canelon Aguirre

On December 9, 2025, a federal arrest warrant was issued for Canelon Aguirre in the U.S. District Court, District of Nebraska. He faces multiple charges, including:

  • Conspiracy to Commit Bank Fraud
  • Conspiracy to Commit Bank Burglary and Intentionally Damage a Protected Computer System
  • Conspiracy to Commit Money Laundering
  • Conspiracy to Provide Material Support to Terrorists

This investigation is part of Joint Task Force Vulcan, conducted in collaboration with the Computer Crime and Intellectual Property Section (CCIPS) of the Department of Justice's Criminal Division. The case highlights the federal government's intensified efforts to tackle cyber crimes with transnational implications.

Pickt after-article banner — collaborative shopping lists app with family illustration

Statements from Law Enforcement Officials

Special Agent in Charge Eugene Kowel of the FBI Omaha Field Office stated, "Canelon Aguirre led a vast conspiracy to commit cyber attacks against financial institutions in communities across our country on behalf of Tren de Aragua. He and his associates generated a multimillion-dollar revenue stream ultimately funding a foreign terrorist organization." He added, "The FBI's 'Ten Most Wanted Fugitives' list highlights the seriousness of Canelon Aguirre's criminal conduct both at home and abroad. We are asking for the public's help in our efforts to apprehend, arrest, and hold Canelon Aguirre accountable for his crimes."

Kowel further emphasized that adding Canelon Aguirre to the list demonstrates the FBI's commitment to following the money and surging resources to disrupt Tren de Aragua's network. The agency vows to continue working with partners to identify, disrupt, and dismantle this criminal enterprise domestically and internationally.

This development signals a pivotal shift in law enforcement priorities, as cyber criminals increasingly pose threats to national security and economic stability. The public is urged to report any information related to Canelon Aguirre or similar activities to assist in these critical investigations.