FBI Warns of Surge in ATM Jackpotting Attacks Linked to Ploutus Malware

Federal authorities and private sector security researchers are warning financial institutions of a renewed surge in ATM jackpotting attacks, a form of cyber-enabled theft that forces cash machines to dispense large volumes of currency on command. The campaign is being linked to variants of the Ploutus malware, a strain that has evolved steadily over the past decade.

According to investigators, more than $20 million has been stolen in recent incidents. The attacks are highly coordinated, often involving technical operators who install malware on targeted machines and cash-out crews who collect the dispensed funds within minutes.

What Is ATM Jackpotting?

ATM jackpotting refers to a technique in which attackers manipulate a cash machine to release money without authorization. Unlike traditional skimming operations, jackpotting does not target customer card data. Instead, it directly compromises the ATM’s internal software or hardware components.

In many cases, attackers gain physical access to the machine. They open the cabinet, connect an external device or insert a malicious USB drive, and install malware onto the ATM’s operating system. Once activated, the malware communicates with a command interface that instructs the dispenser to release cash in controlled bursts.

The Role of Ploutus Malware

Ploutus first emerged in Latin America but has since appeared in North America, Europe and parts of Asia Pacific. The malware is designed specifically for ATM systems, many of which still run legacy versions of Windows. Over time, the threat has become more modular and adaptable.

Recent variants are capable of bypassing security controls and encrypting communications between the ATM and the attacker’s control device. Some versions require a unique activation code entered through the ATM keypad, making detection more difficult until the cash is already being dispensed.

How the Attacks Unfold

Investigations suggest that organized crime groups are responsible for many of the incidents. Teams typically conduct reconnaissance to identify vulnerable ATMs located in areas with minimal surveillance. Machines in standalone kiosks or lightly monitored retail spaces are particularly attractive targets.

After compromising the ATM, attackers trigger the malware remotely or locally. The dispenser releases cash in rapid sequences, sometimes emptying the machine in minutes. Cash-out teams are positioned nearby to retrieve the funds before bank personnel or law enforcement can respond.

Security analysts note that some attacks involve social engineering as well. Individuals posing as maintenance workers have reportedly accessed internal components under false pretenses, reducing suspicion while deploying malicious tools.

Financial Impact and Broader Risk

The financial impact extends beyond the immediate cash losses. Banks face operational disruption, reputational damage and the cost of replacing compromised hardware. In several cases, entire fleets of ATMs were temporarily taken offline for forensic review and patching.

Industry experts warn that as long as legacy systems remain in service, jackpotting will continue to present a viable attack vector. Many ATMs still operate on outdated software platforms that lack modern endpoint detection and response capabilities.

Mitigation Measures for Financial Institutions

Authorities are urging financial institutions to implement layered security controls. This includes enforcing strict physical access controls, disabling unused USB ports and applying timely operating system updates. Endpoint protection tools specifically designed for ATM environments can also help detect unauthorized processes.

Network segmentation is another critical measure. Isolating ATMs from broader banking networks reduces the risk of lateral movement if a compromise occurs. Continuous monitoring of dispenser activity and anomaly detection can provide early warning signals of abnormal cash-out behavior.

The recent spike in jackpotting activity serves as a reminder that cybercrime continues to evolve across both digital and physical domains. For banks and financial service providers, defending ATMs now requires the same rigor applied to cloud infrastructure and enterprise endpoints.