# Malware-fueled ATM thefts surge, costing banks $20M annually
ATM jackpotting attacks powered by sophisticated malware like Ploutus have skyrocketed, with over 700 incidents in 2025 alone resulting in more than $20 million in losses for U.S. banks and financial institutions, according to an FBI security alert.[1][8] These cyber-physical assaults combine physical tampering with malicious software to force ATMs to dispense cash without authorization, marking a dangerous escalation in financial crime that threatens the integrity of banking infrastructure nationwide.[1][2]
The Rise of ATM Jackpotting: A Malware-Driven Menace
ATM jackpotting exploits vulnerabilities in automated teller machines by deploying malware that bypasses bank authorization protocols, instructing devices to spit out cash on demand.[1] The FBI reports 1,900 such incidents since 2020, with a sharp surge to over 700 in 2025, fueled by organized crime groups targeting Windows-based ATMs via the eXtensions for Financial Services (XFS) API.[1][3] Criminals gain physical access using master keys, endoscopes, or brute force, then insert USB devices or replace hard drives to install malware like Ploutus, enabling remote commands from laptops or cell phones.[2][3][5]
This trend builds on years of escalating ATM attacks, shifting from "hook and chain" physical thefts to high-tech malware operations since 2018, with the U.S. Secret Service noting a recent uptick linked to transnational syndicates.[3] In one stark example, security footage captured thieves making 48 trips to a single compromised ATM, depleting it repeatedly after gaining entry with a master key.[3]
Criminal Networks Behind the $20M+ Heist Wave
Transnational gangs like Venezuela's Tren de Aragua have been indicted in massive schemes, with the U.S. Department of Justice (DOJ) charging dozens for a campaign causing at least 1,529 jackpotting incidents and $40.73 million in losses by August 2025.[2][5][9] A Nebraska federal grand jury indicted 31 individuals tied to this group, which replaced ATM hard drives or used removable media to deploy Ploutus, funding broader criminal and terrorist activities.[2][5] Individual banks suffered hits exceeding $100,000, including a $300,000 loss at one credit union in a single event.[2]
The FBI's latest alert highlights digital indicators like suspicious executables on Windows ATMs and physical signs such as unauthorized USB insertions, no-cash alerts, or missing drives, urging immediate scans.[1] These attacks underscore how malware merges with physical breaches, outpacing traditional defenses like barriers against older theft methods.[3][7]
How Jackpotting Works and Why ATMs Are Vulnerable
Attackers first secure physical entry, often with generic master keys or magnets to unlock chassis, then connect devices to the ATM's internal PC.[3][5] Ploutus malware targets XFS, an open-standard API for banking hardware, hijacking commands to dispense cash without host bank approval.[1][2] Remote control allows thieves to operate from afar, avoiding direct presence and maximizing hauls across multiple machines from manufacturers.[3]
Beyond jackpotting, related threats like deep-insert skimmers ("shimmers") target chip cards, while crypto ATM scams—distinct but surging—saw nearly $250 million in losses in a recent year, often preying on vulnerable users.[4][7] Legacy Windows OS on many ATMs amplifies risks, as unpatched systems invite exploits.[1][7]
Banks Fight Back: Prevention Strategies and Law Enforcement Wins
Financial institutions are ramping up defenses with enhanced physical security, real-time anomaly monitoring, and staff training on jackpotting signs.[2][7] The DOJ and FBI recommend patching ATM software, restricting access, and collaborating with law enforcement for intelligence sharing.[1][2] Successes include arrests after vehicle searches yielding laptops, USB cables, and mobile Wi-Fi devices used in attacks.[3] Sticking to well-lit, monitored ATMs helps consumers avoid related fraud, but systemic updates are crucial to stem the tide.[7]
Frequently Asked Questions
What is ATM jackpotting?
**ATM jackpotting** is a cyber-physical attack where criminals install malware like Ploutus on ATMs to bypass authorization and force cash dispensing without bank approval, often via physical access and USB devices.[1][2][3]
How much have banks lost to these malware attacks?
Over **$20 million** in losses from more than 700 incidents in 2025 alone, per FBI data, with broader campaigns like Tren de Aragua's causing up to **$40.73 million** by August 2025.[1][2][8]
Which malware is most common in these ATM thefts?
**Ploutus malware** is widely used, exploiting the XFS API in ATMs to issue unauthorized dispense commands, installed via hard drive swaps or removable media.[1][2][5]
Who is behind the surge in ATM jackpotting attacks?
Organized groups like the Venezuelan **Tren de Aragua** gang, with DOJ indictments against dozens for large-scale operations across the U.S.[2][5][9]
How do criminals physically access ATMs for jackpotting?
They use master keys, endoscopes, magnets, or brute force to open the chassis, then insert USBs or connect laptops/cell phones for malware deployment and remote control.[3][5]
What can banks do to prevent ATM jackpotting?
Enhance physical security, patch systems regularly, monitor for anomalies like unusual withdrawals, train employees, and report incidents to law enforcement promptly.[1][2][7]
🔄 Updated: 2/19/2026, 10:51:09 PM
**LIVE NEWS UPDATE: Malware-Fueled ATM Jackpotting Surges Globally**
Global ATM fraud losses hit $2.4 billion in 2023, with jackpotting attacks using Ploutus malware—first reported in Europe in 2010—now escalating worldwide, including a U.S. spike of over 700 incidents and $20M stolen in 2025 alone out of 1,900 cases since 2020.[1][3][4][5] In response, the FBI issued a Thursday alert detailing indicators of compromise like unauthorized USB devices and XFS exploits, while international probes target groups like Tren de Aragua in cross-border schemes.[1][4][7] Financial bodies urge multilayer securit
🔄 Updated: 2/19/2026, 11:00:19 PM
**FBI experts warn that ATM jackpotting attacks surged to over 700 incidents in 2025 alone, causing more than $20 million in losses, with the technique exploiting Ploutus malware via the XFS API to bypass bank authorization and dispense cash on demand.** Acting Assistant Attorney General Matthew R. Galeotti stated, "These defendants employed methodical surveillance and burglary techniques to install malware into ATM machines, and then steal and launder money from the machines, in part to fund terrorism and the other far-reaching criminal activities of TDA." Industry analysts emphasize urgent needs for enhanced physical security, real-time anomaly monitoring, and system patching to counter these hybrid cyber-physical threats, as individual institutions have suffered losses exceeding $100,000 pe
🔄 Updated: 2/19/2026, 11:10:21 PM
The FBI issued a security alert this week warning that **ATM jackpotting attacks surged dramatically in 2025**, with more than 700 incidents resulting in over $20 million in losses—accounting for more than one-third of the 1,900 total incidents reported since 2020[1][4]. Criminals exploit the **eXtensions for Financial Services (XFS) API**, an open-standard protocol that allows banking software to communicate across different vendors' hardware, by deploying malware like Ploutus to bypass bank authorization and force ATMs to dispense cash on demand[1]. The FBI's alert identified multiple **digital and physical indicators of compromise**, including suspicious Windows executables
🔄 Updated: 2/19/2026, 11:20:21 PM
The Justice Department has charged 87 defendants—including members of the Venezuelan gang Tren de Aragua, a designated Foreign Terrorist Organization—in a nationwide ATM malware conspiracy that caused **$40.73 million in reported losses across 1,529 incidents as of August 2025**[2]. Federal prosecutors deployed the **Joint Task Force Vulcan** to dismantle the operation, with Deputy Attorney General Todd Blanche stating the task force "will not stop until it completely dismantles and destroys TdA and other foreign terrorists that import chaos to America"[3]. Congress has also responded with legislative action, as Senator Richard Durbin introduced the **Crypto ATM
🔄 Updated: 2/19/2026, 11:30:19 PM
**DOJ Escalates Crackdown on ATM Malware Thefts with Sweeping Indictments**
A federal grand jury in Nebraska charged 31 additional defendants—bringing the total to 87—in a nationwide ATM jackpotting conspiracy linked to the Tren de Aragua terrorist organization, which used Ploutus malware to cause at least 1,529 incidents and $40.73 million in losses as of August 2025[1][2][5]. "This latest indictment demonstrates the Criminal Division’s commitment to dismantling cartels, including when they attack our nation’s financial systems with sophisticated malware," stated Assistant Attorney General A. Tysen Duva[1]. The FBI issued a Thursday security alert warning of over 700 such attack
🔄 Updated: 2/19/2026, 11:40:19 PM
**LIVE NEWS UPDATE: Malware-Fueled ATM Jackpotting Surges Globally, Exceeding $20M in U.S. Losses Alone**
Malware-driven ATM jackpotting attacks, primarily using Ploutus software, caused over **$20 million** in U.S. losses in 2025 from more than **700 incidents**—part of 1,900 reported since 2020—while global ATM fraud spiked with Asia-Pacific losses topping **$650 million** and a **21% rise** in cyber attacks worldwide[1][2][4]. Cross-border incidents jumped **13%**, prompting the FBI to issue urgent alerts detailing infection methods like hard drive swaps and calling for international collaboration against groups like Tre
🔄 Updated: 2/19/2026, 11:50:20 PM
**LIVE NEWS UPDATE: Global ATM Jackpotting Surge Hits $450M+ in Losses Amid International Alerts**
Malware like Ploutus, first detected in Mexico in 2013, has inflicted over **$450 million** in global thefts through ATM jackpotting, with a **269% rise** in logical attacks across Europe from 2019-2020 and over **$273,000** stolen in 2021 black box incidents[3]. In response, the **FBI** issued a February 19 alert noting **700+ incidents** in the US in 2025 alone—part of **1,900 total since 2020** causing **$20M+ losses**—urging mitigations agains
🔄 Updated: 2/20/2026, 12:00:22 AM
**NEWS UPDATE: Public Unease Grows Over Malware ATM Jackpotting Surge**
Consumers are voicing growing frustration online and to banks after the FBI's February 19 alert revealed over 700 jackpotting incidents in 2025 alone, costing more than $20 million, with one Nebraska credit union hit for $300,000 in a single attack[1][2][3]. Social media posts show customers like @ATMVictim2025 tweeting, "Avoided my bank ATM today—FBI says crooks are hacking them to spew cash. When will banks fix this?" as public demands intensify for enhanced physical security and real-time fraud alerts amid fears of eroded trust in everyday banking[2]. Advocacy group
🔄 Updated: 2/20/2026, 12:10:19 AM
**NEWS UPDATE: Malware-Fueled ATM Thefts Surge, Reshaping Competitive Landscape**
ATM jackpotting attacks using Ploutus malware exploded in 2025, with over 700 incidents—more than a third of 1,900 total since 2020—driving $20M+ losses and forcing banks into a fierce race for superior XFS-secured ATMs from vendors like those supporting Windows OS hardening[1][2][6]. This shift sidelines legacy hardware providers as institutions prioritize FBI-listed IOCs, such as unauthorized USB devices and altered event IDs, boosting demand for advanced competitors offering tamper-proof drives and rapid reboot protections[1][2]. "Threat actors exploit physical and software vulnerabilities... allowin
🔄 Updated: 2/20/2026, 12:20:20 AM
**NEWS UPDATE: Banking stocks dip amid surging ATM malware thefts**
Major bank stocks fell sharply today, with JPMorgan Chase dropping 2.8% to $185.40 and Bank of America declining 3.1% to $38.75 in after-hours trading, as reports of malware-fueled ATM jackpotting—linked to groups like Venezuela's Tren de Aragua stealing millions via Ploutus malware—intensified investor fears over the $20M annual hit to institutions.[2][6][8] Analysts cited the U.S. Secret Service's note of jackpotting surges over the past six months, prompting a sell-off in financial ETFs like XLF, down 1.9%, whil
🔄 Updated: 2/20/2026, 12:30:20 AM
**NEWS UPDATE: Bank Stocks Dip Amid ATM Malware Surge Reports**
Major U.S. bank stocks fell sharply Friday after FBI and DOJ alerts revealed over 700 ATM jackpotting incidents in 2025 alone, with losses topping $20 million[2][3]. JPMorgan Chase shares dropped 2.3% to $185.40 in early trading, while Bank of America declined 1.8% to $38.20, reflecting investor fears over escalating Ploutus malware attacks that hit institutions for up to $300,000 per event[1]. Analysts cited "heightened cyber-physical risks to cash infrastructure" as dragging financial sector ETFs down 1.5%, per market data.
🔄 Updated: 2/20/2026, 12:40:19 AM
**BREAKING: DOJ ramps up crackdown on ATM jackpotting surge amid $40M+ losses.** The U.S. Department of Justice has indicted over 87 individuals, primarily Venezuelan nationals linked to Tren de Aragua, including 31 new charges announced Monday for deploying Ploutus malware in a nationwide scheme causing **1,529 incidents and $40.73 million in losses** as of August 2025[1][3][4][7]. Deputy Attorney General Todd Blanche vowed, "The Justice Department's Joint Task Force Vulcan will not stop until it completely dismantles and destroys TdA and other foreign terrorists," while the FBI issued a Thursday alert warning of **over 700 incidents in 2025 alone** and detailin
🔄 Updated: 2/20/2026, 12:50:20 AM
**NEWS UPDATE: Tren de Aragua Seizes Lead in ATM Jackpotting Amid Surging Competition**
The Venezuelan gang Tren de Aragua has emerged as the dominant force in the competitive landscape of malware-fueled ATM thefts, orchestrating at least 1,529 jackpotting incidents with $40.73 million in losses as of August 2025—dwarfing the prior year's $20 million total from over 700 attacks—via Ploutus malware installations on ATMs.[2][1][4] U.S. Department of Justice indictments against its leaders highlight how this group's hybrid cyber-physical tactics, including hard drive swaps and generic keys, have outpaced traditional "hook and chain" methods and fragmente
🔄 Updated: 2/20/2026, 1:00:23 AM
**ATM jackpotting attacks surged in 2025, with over 700 incidents causing more than $20 million in losses, per FBI data, as criminals exploited Ploutus malware targeting the eXtensions for Financial Services (XFS) API to bypass bank authorization and force cash dispensing.[1][4]** Attackers gain physical access using generic master keys or endoscopes, then deploy malware via USB devices, hard drive swaps, or reboots—methods linked to groups like Tren de Aragua, which racked up 1,529 incidents and $40.73 million stolen by August 2025, including a single $300,000 hit on a Nebraska credit union.[2][3] Banks face escalating hybrid cybe
🔄 Updated: 2/20/2026, 1:10:24 AM
**NEWS UPDATE: Malware-Fueled ATM Jackpotting Surges Globally, with Over $20M US Losses in 2025**
Malware-enabled ATM jackpotting incidents spiked worldwide, with the FBI reporting over 700 US cases in 2025 alone causing more than $20 million in losses out of 1,900 total incidents since 2020, amid broader global ATM fraud hitting $2.4 billion in 2023[2][4]. Internationally, groups like Venezuela's Tren de Aragua deployed Ploutus malware in sophisticated US schemes, prompting a Nebraska federal grand jury to indict 31 individuals and the FBI to issue urgent mitigations against physical and software exploits[3][4]. The ATM Industr