Malware-fuelled ATM “jackpotting” attacks are surging across the United States, with the FBI warning that incidents have spiked sharply in 2025.
In a recent alert, the Bureau said it has recorded around 1,900 ATM jackpotting incidents since 2020. Alarmingly, more than 700 of those cases (representing over $20 million in losses) have happened this year alone. The bureau is now urging financial institutions and ATM operators to review their security controls and implement stronger mitigation measures.
Bypassing Authentication Entirely
At the centre of many of these attacks is the Ploutus family of malware. Ploutus targets the eXtensions for Financial Services (XFS) layer, the software interface that tells an ATM what physical action to perform. In a legitimate transaction, the ATM application sends instructions through XFS for bank authorisation before dispensing cash. But if bad actors can issue their own commands to XFS, they can bypass authorisation entirely.
In effect, Ploutus allows threat actors to command an ATM to spit out cash on demand. No bank card, no customer account, and no approval required. Rather than targeting individual bank customers, the malware attacks the machine itself, enabling rapid “cash-out” operations that can be completed in minutes and often go undetected until after the money is gone.
The method of infection is often brazenly simple. Threat actors commonly gain physical access to ATMs using widely available generic keys to open the machine’s cabinet. From there, they either remove the hard drive and connect it to their own device to load malware before reinstalling it, or replace the original drive entirely with a preloaded foreign hard drive or external device. Once the ATM is rebooted, the malware takes control.
Adapted Across Different Manufacturers
Due to the fact that many ATMs run on Windows operating systems, the malware can be adapted across different manufacturers with minimal code changes. Importantly, it interacts directly with the ATM hardware, slipping past the security controls of the original ATM software and operating independently of any live banking session.
The FBI is recommending a targeted audit policy that focuses on monitoring removable storage usage, controlling file access, and scrutinising process creation events. Combined with “gold image” integrity validation (ensuring the ATM’s baseline software configuration has not been altered) this approach can help organisations detect physical intrusion and malware staging early, rather than relying solely on network-based monitoring that may miss these attacks entirely.
A Primary Target
Dray Agha, senior manager of security operations at Huntress, said: “Criminals are using malware like Ploutus to bypass the bank’s verification system entirely, forcing the machine to spit out cash on command. The $20 million stolen last year proves that the security layer controlling the ATM’s hardware is now a primary target.”
According to Agha, this is a wake-up call for financial institutions to treat every ATM like an endpoint on their network, not just a standalone safe. “These attacks can be over in minutes and often go unnoticed until the cash is gone because the malware doesn’t trigger the usual bank-side transaction checks. Proactive monitoring for unauthorised physical access to the machine’s interior, combined with stronger logical access controls for software updates, is critical to stopping these ‘phantom withdrawals.'”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.