U.S. DOJ Charges 54 in Massive ATM Jackpotting Scheme Using Ploutus Malware

By Imthiyaz Ali
U.S. DOJ Charges 54 in Massive ATM Jackpotting Scheme Using Ploutus Malware

The Operation: A Nationwide ATM Jackpotting Conspiracy

The scheme involved the use of Ploutus malware, one of the most advanced and persistent ATM malware families, to force ATMs to dispense large amounts of cash without authorization. The operation targeted banks and credit unions nationwide, with 1,529 confirmed incidents as of August 2025.

Key Figures:
54 defendants charged in two federal indictments
$40.73 million in total losses
1,529 incidents documented since 2021
• Many defendants linked to the Venezuelan gang Tren de Aragua (TdA), designated a foreign terrorist organization

How the Attack Worked: Step-by-Step

  1. Reconnaissance – Teams scouted ATMs to identify models vulnerable to physical access and checked for alarm systems.
  2. Physical Access – Attackers opened the ATM cabinet using keys or force, often at night or in low-traffic locations.
  3. Malware Installation – They installed Ploutus malware by:
    • Replacing the hard drive with a pre-infected one
    • Installing malware directly onto the existing drive
    • Using a USB thumb drive to deploy the payload
  4. Cash Extraction – Once infected, the ATM could be remotely triggered to dispense cash in large amounts (often thousands of dollars per machine) using special activation codes.
  5. Clean-Up – Ploutus deleted logs and traces to avoid detection, allowing attackers to move to the next target.

Ploutus Malware: A Persistent Threat

First discovered in Mexico in 2013, Ploutus has evolved over the years to target a wide range of ATM vendors, including Diebold Nixdorf, NCR, and others. It operates on Windows-based ATMs and is capable of:

  • Forcing cash dispensers to eject money without authorization
  • Disabling or bypassing security sensors
  • Erasing evidence of the attack

The variant used in this scheme was highly customized and included advanced anti-detection techniques.

Tren de Aragua Connection

Many of the defendants are alleged members or associates of Tren de Aragua (TdA), a transnational criminal organization originating in Venezuela. The DOJ stated that profits from the scheme were used to fund TdA’s broader criminal activities, including terrorism. This marks one of the first major prosecutions linking TdA to large-scale cyber-enabled financial crime in the United States.

Legal Consequences

The charges include:

  • Conspiracy to provide material support to a foreign terrorist organization
  • Bank fraud
  • Burglary
  • Computer fraud and abuse
  • Money laundering

Some defendants face potential sentences of up to 335 years in prison.

Industry and Law Enforcement Response

The FBI, U.S. Secret Service, and international partners coordinated the investigation. Banks and ATM operators have been urged to:

  • Implement physical security upgrades
  • Apply firmware and software patches
  • Monitor for unusual cash-dispensing activity
  • Adopt tamper-detection mechanisms
This article is based on public DOJ announcements and cybersecurity reporting as of December 20, 2025.
Stay informed and secure — physical access to ATMs remains one of the most exploited vulnerabilities in the financial sector.
Imthiyaz Ali
Imthiyaz Ali
Imtiyaz is an experienced Cybersecurity Professional with over 5 years of experience in Cybersecurity Research.