FBI Warns of Surge in ATM Jackpotting Attacks, Over $20M Lost in 2025
FBI Issues Alert on ATM Jackpotting Surge, $20M+ Losses in 2025

FBI Issues Urgent Alert on Rising ATM Jackpotting Incidents Across the United States

The Federal Bureau of Investigation (FBI) has released a critical flash alert to disseminate indicators of compromise and technical details associated with malware-enabled ATM jackpotting. This warning comes in response to a significant surge in such criminal activities, with threat actors exploiting both physical and software vulnerabilities in automated teller machines to deploy malicious software that forces cash dispensing without legitimate transactions.

Alarming Statistics Reveal Escalating Financial Losses

According to FBI data, there have been approximately 1,900 ATM jackpotting incidents reported since 2020. However, the situation has dramatically worsened in recent times, with over 700 of these incidents occurring in 2025 alone, resulting in financial losses exceeding $20 million. This represents a substantial increase in both frequency and severity of attacks, prompting the FBI to issue this comprehensive alert to encourage organizations to implement recommended mitigation steps and to outline the information requested from the public.

Ploutus Malware Family Exploits Financial Software Vulnerabilities

Threat actors are primarily deploying ATM jackpotting malware from the Ploutus family to infect ATMs and force them to dispense cash. This sophisticated malware specifically exploits the eXtensions for Financial Services (XFS), which is the critical software layer that instructs an ATM what physical actions to perform during transactions.

Under normal circumstances, when a legitimate transaction occurs, the ATM application sends instructions through XFS for bank authorization. However, Ploutus malware enables threat actors to issue their own commands directly to XFS, completely bypassing bank authorization systems. This allows criminals to instruct ATMs to dispense cash on demand without requiring any bank card, customer account, or legitimate transaction approval.

Once successfully installed on an ATM, Ploutus provides threat actors with direct control over the machine, enabling them to trigger cash withdrawals at will. Crucially, this malware attacks the ATM hardware itself rather than targeting individual customer accounts, facilitating rapid cash-out operations that can be completed within minutes and are often difficult to detect until after the money has been withdrawn.

Common Methods Used to Infect ATMs with Malware

After gaining physical access to ATMs, most frequently by opening ATM faces using widely available generic keys, jackpotting threat actors employ several primary methods to deploy their malicious software:

  1. Criminals remove the ATM's hard drive, connect it to their computer, copy the malware directly to the hard drive, return the modified hard drive to the ATM, and then reboot the machine to activate the malicious software.
  2. Alternatively, criminals remove the ATM's original hard drive and replace it with a foreign hard drive or other external device that contains preloaded malware, then reboot the ATM to initiate the compromise.

How ATM Malware Operates and Evades Detection

The deployed malware interacts directly with ATM hardware components, completely bypassing any communications protocols or security measures of the original ATM software. This approach means the malware does not require connection to actual bank customer accounts to dispense cash, making detection more challenging for financial institutions.

Furthermore, this type of malware can be adapted for use across ATMs manufactured by different companies with minimal adjustments to the code, as the attackers primarily exploit vulnerabilities in the Windows operating system during the compromise process.

Physical Indicators of an Infected ATM

The FBI has identified several physical indicators that may suggest an ATM has been compromised by jackpotting malware:

  • ATM door open alerts occurring outside of planned maintenance schedules
  • Low or no cash indicators appearing outside of expected usage patterns
  • Unauthorized devices plugged into ATM ports or connections
  • Evidence of hard drive removal from ATM units
  • ATMs unexpectedly going out of service without explanation

The FBI's flash alert emphasizes the importance of vigilance and prompt reporting of suspicious activities related to ATMs. Financial institutions and ATM operators are urged to review their security protocols, implement recommended mitigation strategies, and report any potential jackpotting incidents to law enforcement authorities immediately.