FBI Reports 1,900 ATM Jackpotting Incidents Since 2020, $20M Lost in 2025

Post Views: 220

FBI Warns of Significant Increase in ATM Jackpotting Incidents

The US Federal Bureau of Investigation (FBI) has issued a warning about a significant increase in ATM jackpotting incidents, resulting in losses of over $20 million in 2025.

Incident Statistics

According to the agency, 1,900 such incidents have been reported since 2020, with 700 occurring last year. The FBI’s warning comes on the heels of a December 2025 report by the US Department of Justice, which stated that jackpotting attacks have collectively resulted in losses of $40.73 million since 2021.

How Jackpotting Attacks Work

Jackpotting attacks involve the use of specialized malware, such as Ploutus, to infect ATMs and force them to dispense cash without a legitimate transaction. The malware is typically deployed by exploiting physical and software vulnerabilities in the ATMs.

In most cases, cybercriminals gain unauthorized access to the machines by using widely available generic keys to open the ATM’s face. Once inside, the attackers can deploy the malware in one of two ways.

They may remove the ATM’s hard drive, connect it to their computer, copy the malware to the hard drive, reattach it to the ATM, and reboot the machine.
Alternatively, they may replace the hard drive entirely with a foreign one preloaded with the malware and reboot the ATM.

In either case, the malware interacts directly with the ATM hardware, bypassing any security controls present in the original ATM software.

The Ploutus malware, first observed in Mexico in 2013, grants threat actors complete control over an ATM, enabling them to trigger cash-outs that can occur in minutes and are difficult to detect until after the money is withdrawn.

Recommendations to Mitigate Jackpotting Risks

The FBI has outlined several recommendations to help organizations mitigate jackpotting risks. These include:

Tightening physical security by installing threat sensors, setting up security cameras, and changing standard locks on ATM devices.
Auditing ATM devices, changing default credentials, configuring an automatic shutdown mode once indicators of compromise are detected, and enforcing device allowlisting to prevent unauthorized access.

The agency’s warning serves as a reminder of the importance of robust security measures to protect against jackpotting attacks, which can result in significant financial losses for organizations and individuals alike.