WASHINGTON— Malware-wielding criminals “jackpotted” ATMs across the United States last year, walking away with an estimated $20 million in stolen cash, according to reporting by Bank Info Security, which cited new FBI data showing a sharp rise in attacks.
The FBI tracked roughly 1,900 ATM jackpotting incidents nationwide since 2020, with 700—about one-third—occurring in 2025 alone, Bank Info Security reported. The bureau warned ATM operators that malware-fueled cash-out schemes are accelerating and remain difficult to detect until after funds are dispensed.
Jackpotting attacks involve infecting an ATM with malware that gives criminals direct control of the machine, forcing it to dispense cash without accessing customer accounts. A widely used strain known as Ploutus is among the primary tools driving the surge, according to an FBI flash alert cited by Bank Info Security.
“The malware interacts directly with the ATM hardware, bypassing any communications or security of the original ATM software. The malware does not require connection to an actual bank customer account to dispense cash,” the FBI said in its alert.
All of the attacks require physical access to the ATM. The FBI said perpetrators often use generic keys to open the machine’s faceplate, disconnect the hard drive and either install malware via laptop or USB device, or replace the drive entirely with one preloaded with malicious code before rebooting the terminal.
Much of the activity has been linked to organized criminal networks. In December, the U.S. Department of Justice unsealed indictments against 54 individuals accused of using malware to steal millions from ATMs and launder the proceeds, activity prosecutors tied to Tren De Aragua, a Venezuelan-based gang now classified as a transnational criminal organization, Bank Info Security reported.
For financial institutions, the evolving nature of Ploutus presents additional risk. First identified in Mexico in 2013, the malware has gone through multiple iterations, expanding compatibility across ATM brands and operating systems. The latest versions can be deployed across machines from different manufacturers with minimal code adjustments by exploiting the Windows operating system, according to the FBI.
The bureau urged ATM operators to strengthen both physical and technical defenses. Recommended safeguards include non-standard locks, intrusion-detection sensors, encrypted hard drives, firmware integrity checks upon reboot and monitoring for known indicators of compromise. Machines detecting suspicious activity can be configured to shut down or enter out-of-service mode automatically. While jackpotting has surged in the U.S., Bank Info Security noted that Europe has seen a decline in malware-based ATM attacks, a shift attributed in part to widespread adoption of hardening guidance from Europol—though physical ATM attacks and fraud schemes remain prevalent overseas.
