The United States federal law enforcement agency Federal Bureau of Investigation (FBI) issued a FLASH alert on February 19, warning financial institutions about a surge in ATM jackpotting attacks. According to the agency, more than 700 incidents were reported in 2025, resulting in losses exceeding $20 million (approximately ₹166 crore).
The FBI stated that attackers use a technique known as “jackpotting” to force ATMs to dispense cash directly—without compromising any customer bank accounts. The attacks often involve malware such as Ploutus, which sends commands to the ATM’s eXtensions for Financial Services (XFS) software layer, bypassing the bank’s authorization process.
How the Attack Works
According to the alert, criminals typically gain physical access to the ATM machine. They open the cabinet, remove the hard drive, and connect it to their own systems to install malware—or replace it with a pre-infected drive.
The FBI warned that generic keys used to open ATM front panels are widely available, increasing the risk. Replacing standard locks is considered a primary preventive measure.
The agency also noted that since most ATMs operate on Windows-based systems, attackers can modify similar code to target machines from different manufacturers with minimal changes.
FCRF Launches Flagship Certified Fraud Investigator (CFI) Program
₹166 Crore in Losses Raises Banking Concerns
The reported 700+ incidents in 2025 resulted in total losses of over $20 million (approximately ₹166 crore, based on an estimated exchange rate of ₹83 per dollar), raising concerns across the banking sector.
The FBI has also shared Indicators of Compromise (IoCs) with financial institutions, including suspicious file names, scripts, and USB insertion-related event IDs that may signal a breach.
FBI’s Recommended Preventive Measures
The FBI has advised a multi-layered security approach to prevent ATM jackpotting:
- Physical Security
- Replace standard locks
- Install additional keypad locks on maintenance hatches and cash boxes
- Ensure high-resolution CCTV coverage
Hardware Security
- Deploy threat sensors to detect unusual vibration or temperature changes
- Enable device whitelisting to block unauthorized hardware connections
- Implement disk encryption to prevent unauthorized file installations
Software and Network Security
- Use Trusted Platform Module (TPM 1.2) for firmware integrity checks
- Enable Windows memory integrity features
- Apply IP and software whitelisting
- Install anti-malware and antivirus solutions
Audit and Monitoring
- Enable “Audit Removable Storage” and “Audit Object Access” policies
- Regularly compare ATM file systems against a cryptographically verified “gold image”
- Change default credentials
The FBI further recommended testing updates and security configurations on pilot devices to ensure all protective mechanisms function as intended.
Emphasis on Staff Training and Threat Intelligence Sharing
The agency stressed the importance of training employees on software updates and physical maintenance schedules to detect unusual activity promptly. It also encouraged sharing threat intelligence within industry groups to strengthen collective defense.
With ATM jackpotting attacks on the rise, the FBI’s advisory serves as a clear warning to global financial institutions to reinforce both physical and cybersecurity measures simultaneously.
About the author – Rehan Khan is a law student and legal journalist with a keen interest in cybercrime, digital fraud, and emerging technology laws. He writes on the intersection of law, cybersecurity, and online safety, focusing on developments that impact individuals and institutions in India.
