FBI Reports Surge in ATM Jackpotting: 1,900 Incidents Since 2020, $20M Lost in 2025
The Federal Bureau of Investigation (FBI) has raised alarms over a significant rise in ATM jackpotting incidents across the United States, culminating in losses exceeding $20 million in 2025 alone. Since 2020, the agency has documented 1,900 such attacks, with 700 occurring in the past year. In December 2025, the U.S. Department of Justice (DoJ) reported that approximately $40.73 million has been collectively lost to jackpotting attacks since 2021.
ATM jackpotting involves cybercriminals exploiting both physical and software vulnerabilities in automated teller machines to deploy malware that forces the machines to dispense cash without legitimate transactions. The FBI highlighted that attackers often gain unauthorized access by using generic keys to open the ATM’s facade.
Once access is obtained, there are primarily two methods employed to install the malware:
1. Hard Drive Manipulation: The attacker removes the ATM’s hard drive, connects it to an external device to copy the malware, reinstalls the compromised hard drive, and reboots the machine.
2. Hard Drive Replacement: The original hard drive is replaced with one preloaded with the malicious software, followed by a system reboot.
In both scenarios, the malware is designed to interact directly with the ATM hardware, effectively bypassing existing security controls. Notably, this method does not require a connection to a bank card or customer account, making it adaptable across various ATM manufacturers with minimal code modifications.
A prominent example of such malware is Ploutus, first identified in Mexico in 2013. Once installed, Ploutus grants attackers full control over the ATM, enabling rapid cash withdrawals that are challenging to detect until after the funds have been dispensed. The FBI explained that Ploutus exploits the eXtensions for Financial Services (XFS), a software layer that directs ATM operations. By issuing commands directly to XFS, attackers can circumvent bank authorization processes and instruct the ATM to dispense cash on demand.
To mitigate the risks associated with ATM jackpotting, the FBI recommends several measures:
– Enhancing Physical Security: Install threat sensors, set up surveillance cameras, and replace standard locks on ATM devices.
– Conducting Regular Audits: Periodically inspect ATM devices for signs of tampering or unauthorized access.
– Updating Credentials: Change default passwords and credentials to prevent unauthorized access.
– Implementing Automatic Shutdowns: Configure ATMs to shut down automatically upon detecting indicators of compromise.
– Enforcing Device Allowlisting: Restrict the connection of unauthorized devices to the ATM network.
– Maintaining Logs: Keep detailed logs of ATM operations to monitor and identify suspicious activities.
The FBI’s alert underscores the evolving nature of cyber threats targeting financial institutions and the critical need for robust security measures to protect against such sophisticated attacks.
