The Federal Bureau of Investigation has issued a warning about rising nationwide incidents of “ATM jackpotting,” in which criminals hack into ATM machines to steal funds, the agency said in a Feb. 19 Flash alert.
“Threat actors exploit physical and software vulnerabilities in ATMs and deploy malware to dispense cash without a legitimate transaction. The FBI has observed an increase in ATM jackpotting incidents across the United States. Out of 1,900 ATM jackpotting incidents reported since 2020, over 700 of them with more than $20 million in losses occurred in 2025 alone,” the alert said.
To hack ATMs, criminals deploy jackpotting malware. This includes the Ploutus family of malware, which exploits a software layer in ATMs called eXtensions for Financial Services (XFS).
XFS instructs the ATM on what physical action it must take, such as dispensing cash. During a legitimate transaction, the ATM sends instructions via XFS to banks for authorization to release cash. However, if a threat actor achieves the ability to issue their own commands to XFS, they can bypass bank authorization, like with Ploutus.
“Once Ploutus is installed on an ATM, it gives threat actors direct control over the machine, allowing them to trigger cash withdrawals,” the FBI stated in the alert.
“Ploutus attacks the ATM itself rather than customer accounts, enabling fast cash-out operations that can occur in minutes and are often difficult to detect until after the money is withdrawn.”
The FBI listed several indicators of compromise and technical details of ATM jackpotting, and encouraged organizations to implement recommended mitigation measures to counter the threat. They include physical security actions, such as installing threat sensors and ensuring that ATMs are properly monitored with surveillance systems; hardware security measures, such as configuring security settings to automatically shut down if a jackpotting attempt is detected; and a number of logging, auditing, network security, and threat intelligence measures.
A major ongoing case of ATM jackpotting involves the Tren de Aragua gang, a designated Foreign Terrorist Organization. On Feb. 20, a federal grand jury charged six individuals with participating in a Tren de Aragua ATM jackpotting scheme, the Department of Justice said in a statement on Feb. 20.
The individuals were charged for “their roles in a large conspiracy to deploy malware and steal millions of dollars from ATMs in the United States,” the Justice Department stated.
“Eighty-seven others have already been charged, bringing the total to 93 charged defendants,” it stated.
“The loss to victim financial institutions was in excess of $100,000 per jackpotting attempt. The overall loss to the victim financial institutions is over $6 million, with at least an additional $1.74 million attempted.”
Card Skimming
While the jackpotting scheme targets ATM machines and the banks that fund them, officials have warned about scams involving ATMs that specifically target customers.
In January, the U.S. Secret Service announced that it had investigated 60,000 point-of-sale card readers and terminals in 2025, identifying illegal card-skimming devices and preventing more than $428 million in theft.
In card skimming, criminals attach a device to a card reader or payment terminal. When someone uses their card at a reader or terminal, skimming devices enable threat actors to steal card information, such as credit card numbers, CVV codes, expiration dates, and PINs.
Law enforcement agencies have seen a “nationwide increase” in skimming activities, especially targeting electronic benefits transfer (EBT) cards, the Secret Service said.
“EBT fraud targets the nation’s most vulnerable communities. Each month, money is deposited into government assistance accounts intended to help families pay for food and other basic items. This enables criminals who steal card information to time their fraudulent withdrawals and purchases around the monthly deposits,” the Secret Service stated.
“Criminals often steal EBT and other payment card numbers by installing illegal skimming devices on ATMs, gas pumps, and merchant point-of-sale terminals.”
People who use crypto ATMs are also at risk of being defrauded.
According to the FBI’s 2024 Internet Crime Report, published in April 2025, there were 10,956 complaints about cryptocurrency ATM/kiosk fraud in that year, resulting in $246.7 million in losses. Complaints rose by 99 percent from 2023, with losses rising by 31 percent.
Victims of crypto ATM fraud were duped via government impersonation scams, fraudulent investment schemes, and tech support scams, according to the report.
Friends Read Free
Copy
Facebook
Tweet
