A federal grand jury in Nebraska has handed down an indictment charging 31 more people in connection with what authorities are calling a nationwide ATM hacking conspiracy. The charges include conspiracy to commit bank fraud, bank burglary, and computer fraud. This follows two earlier indictments from October and December 2025, which already charged 56 other individuals. The total number of individuals charged now stands at 87.
A press release by the U.S. Department of Justice (DOJ) highlights that the alleged scheme involved installing malware on ATMs across the country. The malware used a technique referred to in cybersecurity circles as “jackpotting”, and it would basically force the machines to spit out cash on command. The defendants allegedly would connect an external device, such as a thumb drive, containing malware. It apparently worked so well that it generated millions in illegal proceeds, according to the DOJ.
But it clearly wasn’t enough to evade the law. Now, leading the investigation is the FBI’s Omaha Field Office alongside Homeland Security Investigations. They are joined by dozens of other law enforcement agencies across the country, who are assisting. Meanwhile, the prosecutors are the DOJ’s Computer Crime and Intellectual Property Section and the U.S. Attorney’s Office for the District of Nebraska.
How the heist was pulled off
Most ATMs are, at their core, just regular PCs. And most of them are powered by Windows, often older versions of it. One of the more popular versions is Windows 10 LTSC 2015, a long-term support version of Windows, which recently hit end-of-life, along with the consumer version of Windows 10. So the industry is, at least right now, in the middle of undergoing a transition to newer versions of that software.
And because these are essentially regular PCs, they run on standard hardware with USB ports and all the usual connectivity you’d expect from a desktop computer. That makes them vulnerable to the same kinds of malware that can infect a home computer — provided you can actually get physical access to the internals. That’s exactly what the alleged hackers reportedly did here. The indictment states that they used a variant of malware called Ploutus.
Ploutus is a well-documented strain first discovered in Mexico back in 2013. It specifically targets the middleware layer ATMs use to communicate between their software and their cash dispensers. The middleware in question is called XFS, which is short for eXtensions for Financial Services. It essentially acts as a translator between the ATM’s operating system and its physical hardware. Ploutus basically exploits this middleware to bypass all of the bank’s legitimate transaction software. From there, it issues unauthorized commands directly to the cash dispenser. It’s a very different technique from card skimming, since it directly targets the ATMs rather than the cards of potential individuals.
How the bad actors got away (initially)
The DOJ alleges that members of the conspiracy would travel in groups, using multiple vehicles, to scope out targeted banks and credit unions. They’d conduct reconnaissance first, taking note of things like security cameras and alarms at those locations. Then they would reportedly open the ATM’s outer casing and just wait to see if that triggered any kind of law enforcement response. If the coast was clear, they’d go ahead and install the malware. This was done by either swapping out the ATM’s hard drive and loading Ploutus onto the existing one or simply plugging in an external drive — like a thumb drive. The whole process reportedly took roughly 10 minutes. The malware was also apparently designed to delete traces of itself afterward, which would make it harder for bank employees to figure out what had even happened. Once all of that was done, the group is alleged to have divided up the stolen cash.
The Ploutus malware family is well known to law enforcement and has been under the radar for well over a decade now. A joint report from Europol and Trend Micro documented how it’s evolved considerably since its early days. Early versions of it required a CD to install. But later iterations got more creative — one variant involved physically hiding a mobile phone inside the ATM housing, connected to the computer, so criminals could just send an SMS to remotely trigger a cash-dispensing command from wherever they happened to be.
If convicted, the defendants in this case face prison terms ranging from 20 to 335 years. That said, at this point, the indictment is, of course, still an indictment — so all defendants are presumed innocent until proven guilty.
