The FBI has issued a new bulletin warning U.S. financial institutions about a sharp increase in ATM jackpotting attacks—incidents where criminals force cash machines to dispense money on demand without any legitimate transaction. According to the agency, in 2025 alone more than 700 jackpotting incidents have been recorded across the United States, causing losses of over $20 million. Since 2020, approximately 1,900 jackpotting attacks involving ATM malware have been documented, with almost half of them occurring this year, signaling a worsening risk landscape for ATM security.
What is ATM jackpotting and why is it so dangerous?
ATM jackpotting is a type of cyber‑physical attack in which an attacker gains control over the ATM’s internal systems and instructs it to dispense cash without a valid card, PIN, or bank account transaction. Unlike skimming, which targets customers’ payment cards, jackpotting directly targets the ATM hardware and software stack. As a result, attackers can empty cash cassettes in minutes, and banks often detect the compromise only after significant amounts have already been stolen.
According to the FBI, a typical attack scenario begins with the criminal obtaining physical access to the ATM cabinet. Once inside, they connect a device or install malware, then send commands directly to the cash dispenser module. Because no card, PIN, or backend account authorization is used, traditional transaction-based anti-fraud systems are largely ineffective against this attack vector.
Ploutus malware: the primary tool behind ATM jackpotting attacks
Long-lived ATM malware family
The FBI identifies the Ploutus ATM malware family as a central tool in today’s jackpotting campaigns. Ploutus has been known to the cybersecurity community for more than a decade and has been linked to large‑scale ATM cash‑out operations in multiple regions. It was widely observed in attacks around 2017–2018, and although it became less visible in public reports for some time, law enforcement notes that Ploutus remains one of the most commonly used malware strains for targeting ATMs globally.
How Ploutus exploits the XFS interface
Ploutus abuses the software layer known as eXtensions for Financial Services (XFS)—an industry‑standard interface that connects the ATM’s operating system to its physical components, such as the cash dispenser, card reader, and PIN pad. Under normal conditions, the ATM application uses XFS to send requests to the bank’s processing system, which authorizes or denies each operation.
Once Ploutus is installed, attackers can send XFS commands directly to the ATM hardware, bypassing the bank’s authorization process entirely. From the malware interface, criminals can configure the amount of cash, number of notes, and payout sequence, often triggering disbursement through secret key combinations on the PIN pad, a connected USB device, or even remotely if the ATM has also been compromised over the network.
Why modern ATMs remain vulnerable to jackpotting
The FBI notes that Ploutus can run on ATMs from multiple manufacturers with minimal code changes. This is largely due to the widespread use of a common technology stack: Microsoft Windows as the operating system and the XFS standard for peripheral control. While this standardization reduces operating costs for banks, it also makes attacks highly scalable—malware developed for one configuration can be re‑used across thousands of similar machines.
Physical security remains another critical weakness. In numerous cases worldwide, criminals have obtained internal access to ATMs using universal service keys, forged technician badges, or by directly forcing locks. Once inside, they may remove the hard drive, deploy malware, and reinstall it, or replace it entirely with a pre‑loaded drive containing Ploutus. Advanced versions of the malware can automatically erase traces of compromise, complicating post‑incident forensic analysis.
FBI recommendations to strengthen ATM cybersecurity
1. Regular ATM security audits
The FBI recommends conducting systematic physical and technical inspections of ATM fleets. Banks should check for unauthorized USB devices, additional internal boards, modified cables, or unusual service connections. Any signs of forced entry, damaged locks, or tampered panels must be treated as potential indicators of compromise.
2. Endpoint monitoring and integrity control
Financial institutions are advised to monitor ATMs for unknown or anomalous processes, unexpected changes in system files, and unauthorized services. Implementing file integrity monitoring and golden image comparison makes it easier to detect hard‑drive swaps, malware deployments, and configuration changes that enable jackpotting.
3. Strengthening physical protection and access control
Banks should harden physical security by introducing individualized, high‑security locks instead of universal keys, tightening policies for technician access, and enforcing strict identity verification for service personnel. The FBI also highlights the value of video surveillance and cabinet tamper sensors that trigger immediate alerts to security teams when an ATM’s body is opened.
4. Updating, segmenting, and hardening the ATM network
Wherever possible, ATMs should be migrated to supported Windows versions with modern security features enabled, such as secure boot, application whitelisting, and least‑privilege local accounts. The ATM network segment should be isolated from the rest of the bank’s IT environment, with strict access controls, logging, and network anomaly detection to prevent or limit remote exploitation.
The growing number of ATM jackpotting attacks demonstrates how criminals are exploiting the combination of a unified software stack, XFS‑based device control, and weak physical protection. To counter this trend, financial institutions must treat ATMs not as standalone metal boxes, but as critical endpoints in the payment infrastructure. Continuous monitoring, regular audits, reinforced physical security, timely software updates, and ongoing staff training form the minimum baseline to reduce jackpotting risk and maintain customer trust in digital and cash‑based banking services.
