FBI Reports 1,900 ATM Jackpotting Incidents Since 2020, $20M Lost in 2025

Post Views: 7

FBI Warns of Surge in ATM Jackpotting Incidents

The US Federal Bureau of Investigation (FBI) has issued a warning about a surge in ATM jackpotting incidents, resulting in losses of over $20 million in 2025. Since 2020, a total of 1,900 such incidents have been reported, with 700 occurring in the past year alone.

How Jackpotting Attacks Work

According to the FBI, threat actors are exploiting physical and software vulnerabilities in ATMs to deploy malware, which forces the machines to dispense cash without a legitimate transaction. The malware, such as Ploutus, interacts directly with the ATM hardware, bypassing security controls present in the original software.

Ploutus, first observed in Mexico in 2013, grants threat actors complete control over an ATM, enabling them to trigger cash-outs that can occur in minutes and are difficult to detect until after the money is withdrawn. The malware exploits the eXtensions for Financial Services (XFS), a layer of software that instructs an ATM what to physically do.

The FBI explains that when a legitimate transaction occurs, the ATM application sends instructions through XFS for bank authorization. However, if a threat actor can issue their own commands to XFS, they can bypass bank authorization entirely and instruct the ATM to dispense cash on demand.

Mitigating Jackpotting Risks

To mitigate jackpotting risks, the FBI recommends that organizations tighten physical security by installing threat sensors, setting up security cameras, and changing standard locks on ATM devices. Other measures include auditing ATM devices, changing default credentials, configuring an automatic shutdown mode once indicators of compromise are detected, and enforcing device allowlisting to prevent unauthorized access.

The US Department of Justice reported that about $40.73 million has been collectively lost to jackpotting attacks since 2021. The FBI’s warning highlights the need for organizations to take proactive measures to protect their ATMs from these types of attacks.

How Threat Actors Gain Access

Threat actors typically gain unauthorized access to ATMs by opening the machine with widely available generic keys. They then deploy the malware by either removing the ATM’s hard drive and replacing it with a foreign hard drive preloaded with the malware or by connecting the hard drive to their computer, copying the malware, and then reattaching the hard drive to the ATM.

The use of Ploutus malware allows threat actors to target ATMs from different manufacturers with little to no code changes, as the underlying Windows operating system is exploited during the attack. This highlights the need for organizations to prioritize the security of their ATMs and take steps to prevent these types of attacks.