- 899
- 246
The FBI has published a bulletin (PDF) warning of a sharp increase in jackpotting attacks on ATMs in the United States. In 2025 alone, more than 700 such incidents were recorded, with total damage exceeding $20 million.
According to the agency, approximately 1,900 malware-based ATM attacks have been registered in the country since 2020. More than 700 of these occurred in 2025, demonstrating a significant increase compared to previous years.
Jackpotting essentially involves attackers gaining physical access to an ATM, installing malware, and the malware directly commands the cash-dispensing module. The entire operation typically takes just minutes, and financial institutions and ATM operators only learn of the incident after the money has already been stolen.
Law enforcement officials identify Ploutus malware, which has been around for over a decade, as the primary tool used by these attackers. The malware was actively used in 2017–2018, after which it virtually disappeared from news and expert reports. However, the FBI emphasizes that it remains widely used by criminals.
Ploutus exploits the eXtensions for Financial Services (XFS) software layer, which is responsible for interaction between the ATM and its physical components. During a legitimate transaction, the ATM application sends an authorization request to the bank via XFS. However, if an attacker gains the ability to independently send XFS commands, they completely bypass bank authorization and force the device to dispense cash on demand—without a card, without a customer account, and without the bank's approval.
To install the malware, criminals typically physically open the ATM (for example, using master keys). They then remove the hard drive, copy the malware to it, and reinstall it. Sometimes, the hard drive is even replaced with a pre-installed one.
The FBI also noted that Ploutus operates on ATMs from various manufacturers with virtually no code modifications, as the attacks are Windows-based. Furthermore, the malware is capable of automatically removing its traces, complicating the work of forensic experts and bank employees.
The document contains indicators of compromise and recommendations for protecting against such attacks. In particular, law enforcement advises financial institutions to regularly audit ATMs for the use of unauthorized removable media and suspicious processes. Combined with integrity verification of master system images, this should help detect physical tampering and malware installation attempts at an early stage.
According to the agency, approximately 1,900 malware-based ATM attacks have been registered in the country since 2020. More than 700 of these occurred in 2025, demonstrating a significant increase compared to previous years.
Jackpotting essentially involves attackers gaining physical access to an ATM, installing malware, and the malware directly commands the cash-dispensing module. The entire operation typically takes just minutes, and financial institutions and ATM operators only learn of the incident after the money has already been stolen.
Law enforcement officials identify Ploutus malware, which has been around for over a decade, as the primary tool used by these attackers. The malware was actively used in 2017–2018, after which it virtually disappeared from news and expert reports. However, the FBI emphasizes that it remains widely used by criminals.
Ploutus exploits the eXtensions for Financial Services (XFS) software layer, which is responsible for interaction between the ATM and its physical components. During a legitimate transaction, the ATM application sends an authorization request to the bank via XFS. However, if an attacker gains the ability to independently send XFS commands, they completely bypass bank authorization and force the device to dispense cash on demand—without a card, without a customer account, and without the bank's approval.
To install the malware, criminals typically physically open the ATM (for example, using master keys). They then remove the hard drive, copy the malware to it, and reinstall it. Sometimes, the hard drive is even replaced with a pre-installed one.
The FBI also noted that Ploutus operates on ATMs from various manufacturers with virtually no code modifications, as the attacks are Windows-based. Furthermore, the malware is capable of automatically removing its traces, complicating the work of forensic experts and bank employees.
The document contains indicators of compromise and recommendations for protecting against such attacks. In particular, law enforcement advises financial institutions to regularly audit ATMs for the use of unauthorized removable media and suspicious processes. Combined with integrity verification of master system images, this should help detect physical tampering and malware installation attempts at an early stage.