Rise in Malware-Enabled ATM Jackpotting Leads to FBI Alert

By Roy Urrico

Threat actors are deploying jackpotting malware to infect and force ATMs to dispense cash without legitimate transactions, according to a recently released FBI FLASH, which also disseminated indicators of compromise (IOCs), technical details and recommendations. The FBI in its alert observed an increase in ATM jackpotting incidents across the U.S. Out of 1,900 ATM jackpotting incidents reported since 2020, more than 700 of them resulted in more than $20 million in losses in just 2025 alone.

Threat actors use ATM jackpotting malware, including the Ploutus family malware, which was first detected in 2013 by Symantec. Ploutus exploits the eXtensions for Financial Services (XFS), the software layer instructing an ATM what to do. When a legitimate transaction occurs, the ATM application sends instructions through XFS for financial institution authorization. If a threat actor can supply their own orders to XFS, they can bypass credit union or bank authorization entirely and instruct the ATM to dispense cash on demand. The result: Ploutus permits threat actors to compel ATMs to dispense cash without using a banking institution card, customer account, or bank authorization.

“Ploutus attacks the ATM itself rather than customer accounts, enabling fast cash-out operations that can occur in minutes…often difficult to detect until after the money is withdrawn,” the FBI FLASH cautioned.

"This isn’t a new threat — ATM jackpotting has been around for years, but it continues to evolve and exploit vulnerable machines. The real implication of this alert is that institutions should reassess ATM environments as part of their broader cyber risk program, not treat them as isolated hardware. Coordination between physical security, cyber, and fraud teams is essential to closing the gaps these groups exploit,” Jason Bartolacci, told Finopotamus.

Bartolacci is a director at ProSight Fraud Alert Network, a digital community designed to help credit unions, banks, and direct-to-consumer fintechs combat fraud more effectively,

“ATM jackpotting has been a continued issue for financial institutions for a few years. The difficulty comes in the fact that

typical monitoring solutions will not be able to detect this type of attack since it by-passes normal checks. This makes a layered security approach essential,” Karen Postma, SVP, Risk Solutions, at Velera, told Finopotamus.

Postma added, “Reviewing the mitigation practices listed on the bulletin (FBI FLASH) should be top priority. As ATMs become increasingly software-driven, digital and physical security can no longer be treated as separate domains. Proactive risk management, ongoing infrastructure modernization and clear incident response planning are critical to protecting both credit union assets and member trust.”

Common Methods of Infection

The FBI FLASH described how the jackpotting scheme works. After gaining access to ATMs, most often by opening an ATM face with widely available generic keys, ATM jackpotting threat actors have used several main methods to deploy malware:

• Remove the ATM’s hard drive, connect it to their computer, copy the malware to the hard drive, return the hard drive to the ATM, and reboot the ATM.

• Remove the ATM’s hard drive, replace it with a foreign hard drive or other external device with preloaded malware, and reboot the ATM.

The FBI in its warning described how the malware interacts directly with the ATM hardware, bypassing any communications or security of the original ATM software. The malware does not require connection to an actual banking account to distribute money. “The malware is effective across ATMs of different manufacturers with very little adjustment to the code as the Windows operating system is exploited during the compromise.”

Recommended Mitigations

The FBI recommends a targeted audit policy focused on removable storage usage, controlled file access, and process creation providing high-fidelity detection of ATM jackpotting activity with minimal system overhead. “When combined with gold image integrity validation, this approach enables early identification of physical intrusion and malware staging events that would otherwise evade network-based monitoring.”

Application of some of the following mitigations could limit potential adversarial use of the Ploutus malware family and reduce the risk of ATM jackpotting, according to the FBI:

Physical Security

• Threat sensors on devices and vestibules. Installing vibration, temperature change, and other sensors to alert security personnel to suspicious activity.

• Locks and keypads. Changing the standard locks on ATM devices to prevent the use of keys available for purchase online. Installing keypads on devices that set off alarms if a code is not entered when the maintenance hatch is opened.

• Physical barriers. Installing additional keyed barriers that prevent the cashbox and maintenance hatch from being accessed.

• Security cameras and footage.

Hardware Security

• Automatic shutdown. Configuring security settings to take preventative action on the ATM when an established combination of IOCs for ATM Jackpotting is detected.

• Device whitelisting of unauthorized devices, such as phones and hard drives.

• Firmware checks.

• Disk encryption.

• Track components using software bill of materials and hardware bill of materials for software and hardware integrity.

• Enabling memory integrity in Windows security settings.

Logging

• If jackpotting risk exists, explicitly enable the following: audit removable storage, audit object access (targeted system access control lists (only).

• Maintaining logging and, if available, centrally storing it, could allow security personnel to detect suspicious activity quickly.