FBI Reports 1,900 ATM Jackpotting Incidents Since 2020, $20M Lost in 2025
Source: The Hacker News
[Image: ATM hacking]
Overview
The U.S. Federal Bureau of Investigation (FBI) has warned of a sharp increase in ATM jackpotting incidents across the United States, resulting in losses exceeding $20 million in 2025.
- 1,900 ATM jackpotting incidents reported since 2020.
- 700 of those incidents occurred in 2025 alone.
- The U.S. Department of Justice (DoJ) reported that $40.73 million has been collectively lost to jackpotting attacks since 2021【source】(https://thehackernews.com/2025/12/us-doj-charges-54-in-atm-jackpotting.html).
“Threat actors exploit physical and software vulnerabilities in ATMs and deploy malware to dispense cash without a legitimate transaction,” the FBI stated in a Thursday bulletin【source】(https://www.ic3.gov/CSA/2026/260219.pdf).
Malware Used
The attacks commonly employ specialized malware such as Ploutus. Ploutus was first observed in Mexico in 2013 and gives attackers full control over an ATM, allowing cash‑outs that can occur within minutes and remain undetected until after the money is withdrawn.
- Ploutus exploits the eXtensions for Financial Services (XFS) layer, which instructs an ATM’s hardware actions. By issuing its own XFS commands, the malware can bypass bank authorization entirely and command the ATM to dispense cash on demand【source】(https://en.wikipedia.org/wiki/CEN/XFS).
Attack Methods
There are at least two primary ways the malware is introduced to an ATM:
-
Hard‑drive removal and infection
- The attacker removes the ATM’s hard drive, connects it to a computer, copies the malware onto the drive, reinstalls the drive, and reboots the ATM.
-
Hard‑drive replacement
- The original drive is swapped with a foreign drive pre‑loaded with the malware, followed by a reboot.
Both methods allow the malware to interact directly with the ATM hardware, circumventing any security controls in the original software. Because the attack does not require a legitimate bank card or customer account, it can be used against ATMs from different manufacturers with minimal code changes, exploiting the underlying Windows operating system.
Technical Details
When a legitimate transaction occurs, the ATM application sends instructions through XFS for bank authorization. If an attacker can issue their own XFS commands, they can bypass the authorization step and instruct the ATM to dispense cash on demand.
Mitigation Recommendations
The FBI outlines several steps organizations can take to reduce jackpotting risk:
- Physical security
- Install threat sensors and security cameras.
- Replace standard locks with high‑security locks on ATM devices.
- Device hardening
- Audit ATM devices regularly.
- Change default credentials.
- Configure automatic shutdown when indicators of compromise are detected.
- Enforce device allow‑listing to block unauthorized peripherals.
- Logging and monitoring
- Maintain comprehensive logs of ATM activity.
- Implement real‑time monitoring for anomalous behavior.
// Example snippet used for sharing the article (kept for reference)
var share_url = encodeURIComponent('https://thehackernews.com/2026/02/fbi-reports-1900-atm-jackpotting.html');
var share_title = document.getElementsByTagName("title")[0].innerHTML;
share_title = encodeURIComponent(share_title);Related topics: ATM security, banking security, cybersecurity, Department of Justice, Financial Crime, Malware, Windows