Cybercriminals Stole $20 Million by Forcing ATMs to Spit Out Cash, FBI Says

The Federal Bureau of Investigation (FBI) has issued a flash cyber-alert outlining a sharp increase in malware-enabled ATM jackpotting incidents nationwide, highlighting a growing threat that financial institutions and ATM operators must urgently address.

According to the advisory (FLASH-20260219-001), cybercriminals are increasingly deploying sophisticated malware — particularly variants of the Ploutus family — to force Automated Teller Machines (ATMs) to dispense cash without any legitimate transaction or bank authorization.

These attacks exploit software vulnerabilities and weak physical security, allowing criminals to take direct control of ATM hardware.

$20 million stolen in 2025 alone

About 1,900 cases of ATM jackpotting have been documented across the United States since 202, the FBI says.

Notably, over 700 of these occurred in 2025 alone, inflicting more than $20 million in losses, in a rapid escalation.

Unlike traditional skimming or card fraud, malware-enabled jackpotting targets the ATM’s internal software and hardware, bypassing the need for customer account access altogether.

Once successfully installed — often via physical access to the machine’s internals — the malware can issue cash-dispense commands directly to the ATM’s payout mechanisms.

How hackers get inside ATMs

The advisory details several common infection techniques criminals use, including:

• Removing or replacing the ATM hard drive to install malware before rebooting the machine
• Using generic or easily obtainable keys to gain physical access to the ATM’s interior
• Leveraging malware that interacts directly with the Windows operating system and financial service software layers (like XFS) to control disbursement functions

“The malware can be used across ATMs of different manufacturers with very little adjustment to the code as the Windows operating system is exploited during the compromise,” according to the notice.

A continuum of ATM threats over the years

Bitdefender has documented a range of jackpotting-related threats over the years.

Last year, authorities charged 54 people, many tied to the Venezuelan Tren de Aragua gang, for their role in deploying Ploutus malware in coordinated ATM jackpotting schemes across multiple states.

Similar jackpotting rings have been disrupted abroad — for example, Italian police arrested criminals using “black box” interfaces that commandeered multiple ATMs.

Older reports noted attackers leveraging creative equipment like Raspberry Pi devices to bypass security and open ATMs in Texas.

Security researchers have even shown on video, in a controlled environment, how ATM malware can be introduced to force cash dispensers to eject money in minutes.

Indicators of compromise (IOCs)

Operational defenders and incident responders are urged to watch out for unusual executable files — including unfamiliar binaries like newage.exe, color.exe, and others — not normally found on ATM hard drives. Additional warning signs include:

• Unauthorized remote access tools (e.g., TeamViewer, AnyDesk) running on ATM systems
• Suspicious USB event logs, such as external storage insertion or unexplained hard drive changes
• Physical signs of ATM tampering, including opened maintenance hatches outside of scheduled service windows

Mitigation and response

To mitigate this evolving threat, the FBI recommends a combination of physical, technical, and process-based controls:

• Strengthen physical security: Upgrade locks and barriers, and install environmental and motion sensors to detect tampering.
• Harden software environments: Use firmware integrity checks, enforce disk encryption, and enable whitelisting of trusted applications.
• Improve logging and monitoring: Audit removable storage use and track system events for unauthorized actions.
• Adopt integrity validation: Maintain verified “gold image” baselines for ATM systems to quickly detect unauthorized changes.

The Bureau encourages affected organizations and observers to report suspicious activity to local FBI field offices and through the IC3 portal, helping to build a more complete picture of ongoing jackpotting threats.