The FBI warns of a sharp rise in ATM jackpotting attacks. Criminals use malware to force machines to spit out cash. Since 2020, they recorded 1,900 incidents. In 2025 alone, losses topped $20 million.
How Criminals Gain Access
Attackers target ATMs with weak physical security. They use generic keys to open the front panel. These keys are easy to obtain. Once inside, they reach the hard drive quickly. They either remove the drive or replace it entirely. Next, they connect it to their computer. They copy malware onto it. Then, they reattach the drive and reboot the ATM.
Ploutus malware is the most common tool. It first appeared in Mexico in 2013. The malware exploits the XFS layer in ATM software. XFS controls physical actions like dispensing cash.
Normally, XFS waits for bank approval. Attackers bypass this step completely. They send direct commands to the hardware. Cash dispenses in minutes without any card or account.
Why Detection Is Hard
The attack requires no internet connection to the bank. Malware runs locally on the ATM’s Windows system. It ignores built-in security controls. Therefore, alerts often come too late. Cash gets withdrawn before staff notice anything wrong. Machines from different makers are vulnerable. Attackers need only small code changes. This makes the method very effective.
The FBI counted 700 incidents in 2025. The Department of Justice reported $40.73 million lost since 2021. Attacks happen nationwide and continue to increase. Criminal groups refine their techniques.
Some cases involve organized networks. Recent indictments charged 93 suspects. Six more face bank fraud and computer damage charges. Authorities link them to a known criminal organization.
Physical and Software Weaknesses
Many ATMs use default locks and credentials. Cameras and sensors are missing or disabled. Malware exploits these gaps. It interacts directly with dispensers and counters.
Attackers trigger cash-outs in short bursts. This reduces the chance of immediate discovery. However, repeated attacks on the same machine raise suspicion eventually.
Prevention Strategies
Financial institutions can stop most jackpotting with layered defenses. First, upgrade physical security with tamper sensors, better cameras, and unique non-standard locks. Change all default credentials immediately. Moreover, use continuous monitoring to detect abnormal cash dispense commands, unauthorized USB connections, or unusual reboot patterns early.
Configure ATMs to shut down automatically on signs of compromise. Enforce strict device allowlisting and review logs regularly. These measures help catch attacks quickly and limit financial losses significantly.
Sleep well, we got you covered.
