$20 million lost in 'jackpotting' ATM malware attacks in 2025, FBI reports — scheme forces machines to spit out cash, targets banks and ATM operators
Source: Tom’s Hardware
FBI Alert on ATM Jackpotting Malware
The Federal Bureau of Investigation (FBI) has issued a cybersecurity alert warning about the rise of malware attacks on automated teller machines (ATMs). According to the FBI FLASH document (PDF), threat actors are breaking into these machines using generic keys to open their maintenance cabinets. They remove the storage drive, load malware onto it—or replace it with a compromised one—and then reboot the machine to load the payload.
How the Attack Works
One of the malware families used in these attacks is Ploutus, which exploits the eXtensions for Financial Services (XFS) software. ATMs rely on XFS to communicate with the bank network and authorize each transaction. Ploutus overrides XFS and issues its own commands, allowing attackers to take control of the machine and dispense cash without a card or account. This technique is known as “jackpotting.”
Impact and Losses
- Since 2020, the FBI has recorded 1,900 reported jackpotting attacks.
- 700 of those attacks (more than a third) occurred in the most recent year.
- Losses from 2025 alone exceed $20 million.
While the general public is not directly targeted by these attacks, they contribute to higher costs for banks and insurance companies, which can ultimately be passed on to consumers. For comparison, losses from Bitcoin ATM fraud reached $333 million in 2025, affecting private individuals directly (Tom’s Hardware report).
Recommendations
Given the sheer number of ATMs deployed across the United States—hundreds of thousands—implementing security recommendations will take time. Nonetheless, stakeholders are urged to:
- Secure physical access to maintenance cabinets with tamper‑resistant locks.
- Encrypt and monitor storage drives for unauthorized modifications.
- Update XFS software regularly and apply vendor security patches.
- Deploy intrusion detection systems that can flag anomalous ATM behavior.
- Conduct regular audits of ATM firmware and configuration.
Visual Reference
