March 21, 2026

FBI Issues Guidance to Prevent ATM Jackpotting Attacks After $20 Million Heist in 2025

Vaibhav February 21, 2026
FBI-Issues-Guidance-to-Prevent-ATM-Jackpotting-Attacks-After-20-Million-Heist-in-2025data
Post Views: 98

ATM Jackpotting Attacks Surge, with Over $20 Million Stolen in 2025

A recent surge in ATM jackpotting attacks has prompted the Federal Bureau of Investigation (FBI) to issue a FLASH alert, warning financial institutions of the growing threat. According to the alert, more than $20 million was stolen in over 700 attacks in 2025 alone.

How the Attacks Work

The attacks involve the use of malware, such as Ploutus, which is designed to force ATMs to dispense cash without the need for a customer account. The malware works by issuing commands to the eXtensions for Financial Services (XFS) software layer, which instructs the ATM to dispense cash. This allows attackers to bypass bank authorization and access the cash.

How Attackers Deploy the Malware

Attackers typically deploy the malware by physically infiltrating the ATM, either by removing the hard drive and connecting it to their computer or by replacing the hard drive with one preloaded with malware. The FBI notes that generic keys for ATM faces are widely available, making it easier for attackers to access the machines.

Recommendations for Detection and Prevention

To detect and prevent these attacks, the FBI recommends that organizations use threat sensors to monitor unusual vibration or temperature changes, which could indicate suspicious activity. Additionally, financial institutions can install keypads or other keyed barriers to components like the maintenance hatch and cashbox to provide an additional layer of defense.

The FBI also recommends that ATM security cameras be installed to provide a sufficient view to detect such attacks and preserve recordings for use in incident response and investigations. Furthermore, organizations should protect ATM hardware with security settings that enable logging of potential ATM jackpotting activity.

Additional Measures to Combat ATM Jackpotting

Device whitelisting can also be used to prevent the installation of unauthorized software on ATMs. Enabling security audit policies, such as “Audit Removable Storage” and “Audit Object Access,” ensures logging of potential ATM jackpotting activity.

The FBI guidance also recommends IP whitelisting to block potential remote attacks, software whitelisting, and the use of antimalware or antivirus software for endpoint protection. Employee training and sharing of threat intelligence among industry groups are also essential measures to combat ATM jackpotting.

Indicators of Compromise (IoCs)

The FBI has provided a list of indicators of compromise (IoCs) that organizations can use to help detect and prevent ATM jackpotting attacks. Teams should routinely validate ATM file systems against a cryptographically verified “gold image,” with any deviation from baseline file hashes indicating a potential compromise.

By taking these measures, financial institutions can help prevent ATM jackpotting attacks and protect their customers’ assets.



About Author

Vaibhav

See author's posts

More Stories

Nagomi Security Expands into Agent-Driven Exposure Elimination with Agentic Exposure Ops

Nagomi Security Expands into Agent-Driven Exposure Elimination with Agentic Exposure Ops

Vaibhav March 19, 2026
Enterprise Browser Security: Versa Secure Delivers Native Protection for Business Apps

Enterprise Browser Security: Versa Secure Delivers Native Protection for Business Apps

Vaibhav March 19, 2026
4chan Dodges UK Regulator Fines, Refuses £520,000 Payment for Online Safety Breaches

4chan Dodges UK Regulator Fines, Refuses £520,000 Payment for Online Safety Breaches

Vaibhav March 19, 2026

Latest Cyber Security News

Breaking news graphic showing a hacker targeting global networks with a cyberattack on US medical company Stryker, highlighting worldwide cyber warfare risks

Pro-Iran Hackers Testified Cyberattack on Major US Medical Device Maker Stryker

daksh kataria March 20, 2026
Nagomi Security Expands into Agent-Driven Exposure Elimination with Agentic Exposure Ops

Nagomi Security Expands into Agent-Driven Exposure Elimination with Agentic Exposure Ops

Vaibhav March 19, 2026
Enterprise Browser Security: Versa Secure Delivers Native Protection for Business Apps

Enterprise Browser Security: Versa Secure Delivers Native Protection for Business Apps

Vaibhav March 19, 2026
4chan Dodges UK Regulator Fines, Refuses £520,000 Payment for Online Safety Breaches

4chan Dodges UK Regulator Fines, Refuses £520,000 Payment for Online Safety Breaches

Vaibhav March 19, 2026
Enterprise Identity Risk Detection and Mitigation with Flare Foretrace

Enterprise Identity Risk Detection and Mitigation with Flare Foretrace

Vaibhav March 19, 2026
en_USEnglish
en_USEnglish