A whopping 54 individuals have been indicted for their roles in a conspiracy to deploy malware and commit ATM Jackpotting fraud.
A federal grand jury in the District of Nebraska has returned two incidents, one on December 9 which charged 22 individuals for their role in the conspiracy, and another October 21, charging 32 persons.
If convicted, the defendants face a maximum term of imprisonment ranging between 20 and 335 years, according to a release from the US Attorney’s Office, District of Nebraska, published on December 18.
The indictment also alleges that Tren de Aragua, a Venezuelan crime syndicate, has used ATM jackpotting to steal millions of dollars in the US and then transferred the proceeds among its members and associates to conceal the illegally obtained cash.
“As alleged, these defendants employed methodical surveillance and burglary techniques to install malware into ATM machines, and then steal and launder money from the machines, in part to fund terrorism and the other far-reaching criminal activities of Tren de Aragua, a designated Foreign Terrorist Organization,” said Acting Assistant Attorney General Matthew R. Galeotti of the Justice Department’s Criminal Division.
Total losses from the jackpotting incidents are said to have reached $40.73m as of August 2025.
The alleged conspiracy developed and deployed a variant of malware known as Ploutus, which was used to hack into ATMs and force ATMs to dispense cash.
According to Google’s threat intelligence, the malware is one of the most advanced ATM malware families and was discovered for the first time in Mexico in 2013. A new version of the malware, dubbed Ploutus-D, was first observed in 2017 and targeted the ATM vendor Diebold.
During the ATM burglaries, members of the conspiracy would travel to locations of the targeted banks and credit unions to conduct initial reconnaissance and take note of external security features at the ATMs.
Following this reconnaissance, the groups would open the hood or door of ATMs and then wait nearby to see whether they had triggered an alarm or a law enforcement response.
After this, steps would be taken to install the Ploutus malware on the ATMs, by removing the hard drive and installing the malware directly, by replacing the hard drive with one that had been pre-loaded with the Ploutus malware, or by connecting an external device such as a thumb drive that would deploy the malware.
The Ploutus malware’s primary purpose was to issue unauthorized commands associated with the Cash Dispensing Module of the ATM in order to force withdrawals of currency.
The malware was also designed to obfuscate evidence of the criminal activity and deceive employees of the banks and credit unions from learning about the malware deployment.
