The U.S. Department of Justice (DoJ) has formally charged 54 individuals in connection with a large scale ATM jackpotting operation that caused tens of millions of dollars in losses across the United States.
According to federal prosecutors, the accused were involved in a coordinated campaign that used a sophisticated malware strain known as Ploutus to manipulate automated teller machines and force them to dispense cash illegally. Investigators allege the operation was conducted by members and affiliates of Tren de Aragua, a Venezuelan criminal gang designated as a foreign terrorist organization by the U.S. State Department.
In July 2025, the U.S. government imposed sanctions on the group’s leader, Hector Rusthenford Guerrero Flores, also known as Niño Guerrero, along with five senior figures. Authorities linked them to crimes including drug trafficking, human smuggling, sexual exploitation, extortion, and money laundering.
Multiple Indictments Filed Across 2025
Federal officials stated that an indictment returned on December 9, 2025, charged 22 defendants with crimes such as bank fraud, burglary, and money laundering. Prosecutors claim the group used ATM jackpotting schemes to steal millions of dollars, which were later distributed among members and associates of the network.
A second indictment returned on October 21, 2025, named an additional 32 individuals. These defendants face charges that include conspiracy to commit bank fraud, conspiracy to commit bank burglary and computer fraud, multiple counts of bank fraud, bank burglary, and intentional damage to protected computer systems.
If convicted, some defendants could face prison sentences ranging from 20 years to as much as 335 years under federal law.
“These defendants used organized surveillance and burglary methods to compromise ATM machines, install malware, and steal cash, which was then laundered to support terrorism and other criminal activities linked to Tren de Aragua,” said Acting Assistant Attorney General Matthew R. Galeotti of the Justice Department’s Criminal Division.
How the Ploutus Jackpotting Scheme Worked
Investigators revealed that the operation relied on recruiting individuals to physically deploy the malware across the country. Recruits were instructed to conduct reconnaissance on ATM locations, examine security systems, and test whether opening an ATM would trigger alarms or alert law enforcement.
Once access was confirmed, attackers installed Ploutus by either replacing the ATM’s hard drive with one containing the malware or inserting a removable USB device. The malware was capable of sending unauthorized commands to the ATM’s cash dispensing module, forcing the machine to release currency on demand.
The Justice Department added that Ploutus was designed to erase traces of its presence, making detection more difficult for banks and credit unions. The stolen funds were then divided according to predetermined arrangements among the conspirators.
Background and Technical Capabilities of Ploutus
Ploutus malware was first identified in Mexico in 2013. In 2014, cybersecurity firm Symantec reported that ATMs running Windows XP could be compromised, allowing criminals to withdraw cash using SMS based commands.
Further analysis in 2017 by FireEye, now part of Google Mandiant, showed that newer variants of Ploutus could control Diebold ATMs and operate on multiple Windows versions.
Security researchers noted that once installed, Ploutus D enabled money mules to extract thousands of dollars within minutes. Successful operation required physical access to the ATM, a master key or lock picking capability, an external keyboard, and an activation code provided by the organizers.
Millions Lost Across the United States
Federal authorities reported that since 2021, at least 1,529 ATM jackpotting incidents have been recorded nationwide. As of August 2025, the total financial losses attributed to the criminal network reached approximately $40.73 million.
“Millions of dollars were drained from ATM machines throughout the United States, and the proceeds are alleged to have been funneled to Tren de Aragua leadership to fund terrorist activities,” said U.S. Attorney Lesley Woods.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
