Criminals Made ATMs Spit Out Cash Without Cards, DOJ Case Reveals

The US Department of Justice has charged 54 people for their alleged roles in ATM jackpotting attacks that drained millions of dollars from US banks.

Prosecutors say the attackers used Ploutus malware – a tool built to force ATMs to give out cash on command. Eventually, the stolen funds were funneled to Tren de Aragua (TdA), a known Venezuelan criminal organization recently designated as a terrorist group.

How a global criminal network targeted US ATMs

Federal investigators say the conspiracy operated across multiple states. Unlike other crimes that involve ATMs, the attackers didn’t rely on card skimming or phishing. Instead, they directly compromised the ATMs, then used malware.

According to court documents, the group targeted banks and credit unions nationwide and carried out more than 1,500 ATM attacks, resulting in more than $40 million in loses.

The DOJ alleges that several suspects held leadership roles within Tren de Aragua and coordinated logistics, recruitment and money laundering from abroad.

How Ploutus malware enabled ATM jackpotting

Ploutus malware is one of the most effective tools for ATM jackpotting because it bypasses customer-facing controls and communicates directly with the cash dispenser.

The attackers used the same, repeatable attack chain:

• Reconnaissance: Teams surveyed ATMs to identify weak physical security and outdated defenses.
• Physical access: Attackers forced open ATM cabinets or service panels.
• Malware deployment: Operators installed Ploutus by replacing hard drives or connecting external devices such as USB drives.
• Cash-out commands: The malware issued unauthorized commands to the cash dispensing module, forcing the ATM to eject cash.
• Anti-forensics: Ploutus deleted logs to hide evidence and delay detection.

Unlike traditional fraud, these attacks required no stolen cards, no PINs and no customer interaction.

Who has been charged

The DOJ charged all 54 defendants with crimes that include bank fraud, computer damage, money laundering and conspiracy to provide material support to a terrorist organization.

One defendant, Jimena Romina Araya Navarro, allegedly served as a senior Tren de Aragua leader and previously appeared on US Treasury sanctions lists.

“Many millions of dollars were drained from ATM machines across the United States as a result of this conspiracy and that money is alleged to have gone to Tren de Aragua leaders to fund their terroristic activities and purposes,” said United States Attorney Lesley Woods.

If convicted, defendants face sentences ranging from 20 to 335 years in prison.

FAQ: ATM jackpotting and Ploutus malware

What is ATM jackpotting?
ATM jackpotting forces machines to dispense cash using malware rather than stolen cards or PINs.

What is Ploutus malware?
Ploutus is an ATM-specific malware family that communicates directly with the cash dispenser to trigger unauthorized withdrawals.

Who is Tren de Aragua involved?
Tren de Aragua is a Venezuela-based transnational criminal organization involved in financial fraud, cyber-enabled crime, and violent activities.

Are regular ATM users affected?
No. ATM jackpotting attacks target the machines themselves and not the customer cards or accounts.