The Federal Bureau of Investigation (FBI) has issued a fresh warning about the surge in ATM jackpotting attacks across the United States, revealing that financial losses exceeded $20 million in 2025 alone.
According to federal data, approximately 1,900 jackpotting incidents have been reported since 2020, with 700 of those occurring in 2024. In December 2025, the U.S. Department of Justice (DoJ)that total losses tied to jackpotting schemes have reached nearly $40.73 million since 2021.
How ATM Jackpotting Works
ATM jackpotting involves criminals exploiting both physical and software weaknesses in cash machines. Attackers install specialized malware that forces ATMs to dispense cash without a valid bank transaction.
One of the most commonly used malware strains is Ploutus, first identified in Mexico in 2013. Once deployed, it allows threat actors to take full control of an ATM and trigger rapid cash withdrawals, often within minutes.
In many incidents, criminals gain unauthorized access by opening ATM panels using widely available generic keys.
Malware Deployment Techniques
Investigators have identified two primary methods used to infect ATMs:
- Removing the ATM’s hard drive, connecting it to a separate computer, copying the malware, reinstalling the drive, and rebooting the machine.
- Replacing the original hard drive entirely with a malicious drive preloaded with jackpotting malware, followed by a system restart.
Regardless of the approach, the outcome is the same. The malware communicates directly with ATM hardware, bypassing security safeguards built into the original ATM software.
Because many ATMs operate on Windows-based systems, attackers exploit the underlying operating system rather than targeting a specific manufacturer. This makes the malware adaptable across multiple ATM brands with minimal modification.
Exploiting the XFS Layer
Ploutus abuses the eXtensions for Financial Services, commonly referred to as XFS. This software layer controls how ATM hardware components operate.
Under normal circumstances, the ATM application sends transaction instructions through XFS for bank authorization. However, if attackers inject their own commands into XFS, they can override the authorization process entirely and instruct the ATM to release cash on demand.
This technique enables criminals to empty machines quickly, often before financial institutions detect suspicious activity.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
