FBI: Over $20 million stolen in surge of ATM malware attacks in 2025
Source: Bleeping Computer
The FBI warned that Americans lost more than $20 million last year amid a massive surge in ATM “jackpotting” attacks, in which criminals use malware to force cash machines to dispense money.
According to a Thursday FBI flash alert, more than 700 ATM jackpotting incidents were reported last year alone—a significant spike compared to the roughly 1,900 total incidents reported across the United States since 2020.
How the Ploutus malware works
- The attacks target the software layer that controls an ATM’s physical hardware, specifically the eXtensions for Financial Services (XFS) API.
- Ploutus bypasses the normal bank‑authorization process, allowing criminals to issue commands directly to the ATM and trigger withdrawals on demand without a card, a customer account, or bank approval.
- The FBI explains:
“Ploutus malware exploits the eXtensions for Financial Services (XFS), the layer of software that instructs an ATM what to physically do. When a legitimate transaction occurs, the ATM application sends instructions through XFS for bank authorization. If a threat actor can issue their own commands to XFS, they can bypass bank authorization entirely and instruct the ATM to dispense cash on demand.”
—FBI flash alert (PDF)
Attack methodology
- Physical access – Attackers obtain generic keys to open the ATM.
- Drive manipulation – They remove the machine’s hard drive, copy the malware onto it, and reinstall it, or swap the original drive for one pre‑loaded with the malicious software.
- Execution – Once the compromised drive is in place, the malware can command the ATM to dispense cash in minutes.
Defensive recommendations
The FBI encourages financial institutions to:
- Audit ATM systems for signs of unauthorized removable storage use and unknown processes.
- Implement gold‑image integrity validation to detect physical intrusion and malware staging events that might evade network‑based monitoring.
Legal actions and arrests
The warning follows a wave of arrests targeting members of the Tren de Aragua (TdA) gang, who were linked to a massive jackpotting scheme using Ploutus malware.
- The U.S. Department of Justice has charged 87 Tren de Aragua members over the past six months.
- Sentences range from 20 to 335 years in prison for each defendant.
For more details on the arrests, see the BleepingComputer report: US charges 31 more suspects linked to ATM malware attacks.