A surge in ATM “jackpotting” attacks has prompted federal authorities to warn banks and operators that a sophisticated strain of malware is allowing criminals to force machines to dispense cash on demand, often in minutes and without a traceable customer transaction.
A Warning From Federal Authorities
The Federal Bureau of Investigation has issued a FLASH alert detailing a rise in so-called ATM jackpotting attacks — a form of malware-enabled crime that causes machines to release cash without a legitimate withdrawal.
According to the bureau, more than 1,900 ATM jackpotting incidents have been reported nationwide since 2020. Over 700 of those incidents, accounting for more than $20 million in losses, occurred in 2025 alone. The figures reflect what federal officials describe as a growing pattern: increasingly organized efforts to exploit both physical and software vulnerabilities in automated teller machines.
The alert, distributed to financial institutions and industry partners, outlines indicators of compromise and technical details associated with the attacks. It also urges organizations to implement recommended mitigation measures and encourages vigilance from the public. At the center of the warning is a family of malware known as Ploutus, which investigators say has been deployed in a number of recent incidents.
Certified Cyber Crime Investigator Course Launched by Centre for Police Technology
Exploiting the Machine Itself
Unlike schemes that target individual bank customers, ATM jackpotting attacks are directed at the machines.
Ploutus malware exploits a software layer known as eXtensions for Financial Services, or XFS. The XFS framework acts as an intermediary between the ATM application and the machine’s physical hardware, instructing components such as cash dispensers on what actions to take during a transaction.
Under normal circumstances, when a customer initiates a withdrawal, the ATM application communicates through XFS to obtain bank authorization before dispensing cash. But if a threat actor is able to issue commands directly to the XFS layer, investigators say, bank authorization can effectively be bypassed.
Once installed, Ploutus gives attackers direct control over the ATM. The malware does not require connection to a legitimate bank account. Instead, it enables criminals to trigger cash withdrawals at will, often within minutes. Because the attack targets the machine’s internal processes rather than customer credentials, the activity can be difficult to detect until after the money has been removed.
The malware can function across ATMs made by different manufacturers, requiring only minimal adjustments. Federal officials note that the compromise often leverages vulnerabilities in the Windows operating system that runs many ATM platforms.
Gaining Access
To deploy the malware, attackers typically begin with physical access to the machine.
According to the FBI alert, criminals frequently open an ATM using widely available generic keys. Once inside, they use one of several primary methods to install malicious software.
In some cases, attackers remove the ATM’s hard drive, connect it to their own computer, copy the malware onto the drive, then reinstall it in the machine before rebooting. In others, they replace the original hard drive entirely with a foreign drive or external device that already contains preloaded malware, again rebooting the machine to initiate the compromise.
The bureau’s description underscores a recurring element in jackpotting incidents: the blend of physical intrusion and technical manipulation. By targeting the internal hardware, attackers circumvent many network-based security controls.
Signs of Compromise
Federal officials have outlined several physical indicators that may signal an infected ATM. Among them are door-open alerts outside scheduled maintenance periods and low or no-cash indicators that occur outside expected usage patterns. The presence of unauthorized devices plugged into the ATM and the unexplained removal of hard drives are additional warning signs. Machines that suddenly appear out of service without a clear maintenance explanation may also warrant scrutiny.
The FLASH alert emphasizes that these indicators should prompt immediate investigation. While the bureau’s advisory does not specify individual cases, the cumulative data point to a sustained and evolving threat, one that has shifted attention from customer-facing fraud to the infrastructure of cash distribution itself. For banks and ATM operators, the message is direct: the machine — not the cardholder — is now the primary target.
