ATM Jackpotting Surge: FBI Warns of Millions Lost as Malware Attacks Target Cash Machines

North Korean Hackers Weaponize Developer Tools to Turn Code Workflows Into Malware Delivery Channels

ATM Jackpotting Surge: FBI Warns of Millions Lost as Malware Attacks Target Cash Machines

Physical access and malware combine to create a growing financial threat to banks and ATM operators worldwide.

The U.S. Federal Bureau of Investigation (FBI) has raised concerns over a sharp increase in ATM jackpotting attacks, revealing that threat actors have carried out approximately 1,900 incidents since 2020. Notably, around 700 attacks occurred in 2024 alone, and financial institutions reported losses exceeding $20 million in 2025. These figures highlight a growing trend where cybercriminals combine physical intrusion with malware deployment to extract cash directly from ATM machines.

ATM jackpotting refers to attacks where criminals force machines to dispense cash without legitimate transactions. Unlike traditional banking fraud, these incidents do not require compromised customer accounts or stolen cards. Instead, attackers exploit weaknesses in ATM hardware, operating systems, and software layers.

How Attackers Execute Jackpotting Operations

Threat actors typically begin by gaining physical access to ATM internals. Investigators observed that criminals often use generic keys-many of which remain widely available online - to open ATM cabinets. Once inside, attackers deploy malware through two primary techniques:

Removing the ATM hard drive, copying malware onto it using an external system, and reinstalling it.
Replacing the original drive entirely with a pre-infected drive and rebooting the machine.

Regardless of the method, the objective remains the same: install malware capable of directly communicating with ATM hardware components.

One of the most commonly identified malware families in these attacks is Ploutus, first discovered in Mexico in 2013. After installation, the malware grants attackers full control over the ATM, allowing them to trigger unauthorized cash withdrawals within minutes.

The Technical Weakness: Exploiting XFS

The malware targets the eXtensions for Financial Services (XFS) software layer, which acts as the communication interface between ATM applications and hardware components such as cash dispensers and card readers.

Under normal circumstances, a legitimate banking transaction sends commands through XFS only after authorization. However, attackers bypass this process by issuing their own commands directly to XFS. As a result, the ATM dispenses cash without verifying any customer credentials.

Because many ATMs run similar Windows-based operating systems, attackers can adapt malware across different manufacturers with minimal modifications. This interoperability significantly increases the scale and efficiency of attacks.

Law Enforcement Developments

Authorities have intensified enforcement actions against organized cybercrime groups involved in jackpotting campaigns. Recently, prosecutors indicted six additional suspects linked to ATM attacks, bringing the total number of charged individuals to more than 90 in recent months. Investigators believe organized criminal networks play a major role in coordinating these operations across regions.

Business Risk Beyond Financial Loss

While direct monetary losses remain significant, the broader impact extends further:

Operational disruption and ATM downtime
Reputational damage for financial institutions
Regulatory scrutiny and compliance consequences
Increased insurance and security costs

For banks and ATM operators, jackpotting represents both a cyber and physical security challenge. Therefore, organizations must adopt integrated defense strategies.

Recommended Security Measures

Security agencies recommend several protective controls, including:

Strengthening physical ATM locks and cabinet protections
Installing intrusion detection sensors and surveillance systems
Changing default credentials and enforcing strong authentication
Implementing device allowlisting to block unauthorized hardware connections
Monitoring logs and enabling automated shutdown when anomalies occur
Conducting regular security audits and patch management

Organizations that treat ATM infrastructure as critical cyber-physical systems, rather than standalone devices, significantly reduce risk exposure.

What This Means for the Future

ATM jackpotting demonstrates how cybercrime continues to evolve beyond purely digital attacks. Criminals now combine physical access, malware engineering, and operational coordination to maximize financial gain.

Meanwhile, financial institutions must rethink endpoint security strategies. Traditional network defenses alone cannot protect devices that attackers can physically access. Therefore, layered security controls, continuous monitoring, and proactive threat intelligence become essential.

Over 20,000 Instagram Accounts Hijacked Through Meta AI Support Flaw

Nottingham University Data Breach Exposes Records of More Than 450,000 Students

DragonForce Ransomware Hides C2 Traffic Inside Microsoft Teams Infrastructure

North Korean Hackers Weaponize Developer Tools to Turn Code Workflows Into Malware Delivery Channels

Anthropic Unveils Claude Fable 5 with Built-In Cyber Safeguards as AI Security Enters a New Era

ATHR AI Vishing Platform Automates Voice Phishing at Scale

How Modern Businesses Can Measure Cyber Risk in Financial and Operational Terms Instead of Technical Guesswork

What Is Wiper Malware in Cybersecurity? Understanding One of the Most Destructive Types of Cyber Attacks

Why Delaying Software Updates Can Put Your Entire Digital Security at Risk

How Attackers Abuse Legitimate Windows Tools: Understanding LOLBins and Living-Off-the-Land Attacks

Brave Launches Paid ‘Origin’ Browser for Users Seeking a Cleaner, Privacy-First Experience

Apple Blocks $11 Billion in App Store Fraud as Mobile Threats Continue to Rise

ATM Jackpotting Surge: FBI Warns of Millions Lost as Malware Attacks Target Cash Machines