FBI Says ATM ‘Jackpotting’ Attacks Are On The Rise, And Netting Hackers Millions In Stolen Cash

ATM Jackpotting Attacks Surge: $20M Stolen in 2025

ATM jackpotting is a sophisticated cybercrime where hackers force cash machines to dispense money on command. The FBI reports over 700 attacks in 2025 alone, with criminals stealing at least $20 million. These attacks combine physical access with malware like Ploutus to exploit ATM vulnerabilities. Unlike traditional bank fraud, jackpotting targets the machines themselves rather than customer accounts, making detection difficult until the cash is already gone.

Credit: Fernando Gutierrez-Juarez/picture alliance / Getty Images

What Is ATM Jackpotting and How Does It Work?

ATM jackpotting sounds like something out of a heist movie, but it's very real and increasingly common. The term describes a coordinated attack where criminals gain control of an ATM and command it to spit out all its cash reserves. Think of it as forcing a vending machine to drop every snack at once, except we're talking about thousands of dollars in crisp bills.
The process typically happens in minutes, leaving little time for detection or prevention. Hackers don't need to hack into bank accounts or steal customer data. Instead, they target the ATM's internal systems directly, bypassing normal security protocols. Once inside, they issue commands that trick the machine into dispensing cash as if legitimate withdrawal requests were being processed.
What makes this particularly disturbing is how quickly it can happen. A compromised ATM can empty its entire cash drawer in under five minutes. By the time bank officials or law enforcement realize what's happening, the perpetrators are long gone with the money.

FBI Reports Alarming Rise in Attacks

The Federal Bureau of Investigation recently issued a stark warning about the dramatic increase in ATM jackpotting incidents. According to their latest security bulletin, hackers launched more than 700 attacks on cash dispensers throughout 2025. These coordinated strikes netted criminals at least $20 million in stolen cash, representing a significant escalation from previous years.
This isn't just a few isolated incidents anymore. The FBI's warning signals that ATM jackpotting has evolved from an experimental hacking technique into a major criminal enterprise. Organized crime groups are now treating these attacks as reliable revenue streams, investing time and resources into perfecting their methods.
Financial institutions across the country are scrambling to respond. The sheer volume of attacks suggests that criminal networks are sharing techniques, tools, and target information. What once required advanced technical skills can now be executed by groups with moderate hacking knowledge and the right malware.

The Ploutus Malware Threat Explained

At the heart of many recent attacks is a notorious piece of malware called Ploutus. This sophisticated program has become the weapon of choice for ATM jackpotting criminals because of its versatility and effectiveness. Ploutus doesn't discriminate between different ATM manufacturers, making it a universal threat to cash dispensers nationwide.
The malware specifically targets the Windows operating systems that power many ATMs. Yes, those same cash machines you use to withdraw money often run on modified versions of Windows. Ploutus exploits this fact, gaining deep access to the machine's core functions once it's installed.
Once Ploutus infiltrates an ATM, it grants hackers complete control over the device. Criminals can issue commands to dispense cash, disable alarms, and even manipulate transaction logs. The malware is designed to operate quickly and efficiently, maximizing the amount of cash stolen before anyone notices something is wrong.
Security researchers have been tracking Ploutus for years, but each new version becomes more sophisticated and harder to detect. The malware's creators continuously update it to bypass security measures, creating an ongoing arms race between criminals and financial institutions.

How Hackers Exploit ATM Vulnerabilities

Gaining control of an ATM requires both physical access and digital infiltration, and criminals have developed systematic approaches to achieve both. The attack typically begins with someone gaining physical proximity to the target machine, often during off-hours when banks are closed and foot traffic is minimal.
Once near the ATM, attackers use generic keys or lock-picking tools to open the machine's front panel. These aren't high-tech bypass methods; many ATMs use standard locks that can be compromised with readily available tools. Inside, they find the computer hardware that controls the dispenser, often with accessible USB ports or network connections.
From there, hackers connect laptops or specialized devices to install malware like Ploutus. The process can take as little as ten to fifteen minutes for experienced criminals. Once the malware is installed, they can either trigger the jackpot immediately or leave a backdoor for future attacks.
The combination of physical and digital access makes these attacks particularly challenging to prevent. Traditional cybersecurity measures focus on network defenses, but jackpotting attacks often bypass networks entirely by directly accessing the ATM's internal systems.

Why XFS Software Is the Weak Link

The vulnerability that makes ATM jackpotting possible centers on a critical piece of software called XFS, which stands for extensions for financial services. This middleware acts as a translator between the ATM's operating system and its various hardware components, including the cash dispenser, card reader, PIN pad, and receipt printer.
XFS was designed to standardize how different ATM components communicate, allowing banks to mix and match hardware from various manufacturers. However, this standardization also created a universal attack surface that malware like Ploutus can exploit. Once hackers gain access to the XFS layer, they can send commands directly to the cash dispenser.
Security researchers have identified multiple vulnerabilities in XFS implementations over the years. The software wasn't originally designed with modern cyber threats in mind, and many ATMs still run outdated versions with known security flaws. Updating these systems is complex and expensive, leading many financial institutions to delay critical security patches.
The fundamental issue is that XFS trusts commands from the local system without adequate authentication. When Ploutus issues a "dispense cash" command through XFS, the ATM obeys because it appears to come from a legitimate source. There's often no secondary verification to confirm that the withdrawal request is authorized.

Physical and Digital Attack Methods Combined

Modern ATM jackpotting represents a dangerous convergence of physical security breaches and cyberattacks. Criminals no longer need to choose between breaking into a machine or hacking it remotely; they do both simultaneously for maximum effectiveness. This hybrid approach makes detection and prevention significantly more challenging.
Physical access remains the critical first step in most jackpotting attacks. Without someone actually touching the machine, installing malware is nearly impossible for most ATM models. This is why criminals often target ATMs in less secure locations, such as standalone machines in shopping centers or gas stations, rather than those inside bank branches with additional security measures.
Once physical access is achieved, the digital attack happens rapidly. Hackers come prepared with pre-configured malware, specialized cables, and sometimes even custom hardware designed to interface with specific ATM models. The entire operation is rehearsed and optimized for speed, knowing that every additional minute increases the risk of getting caught.
Some sophisticated criminal groups have even developed portable devices that can be quickly connected to ATMs to deploy malware and trigger cash dispensing. These "jackpotting kits" can be purchased on dark web marketplaces, lowering the technical barrier to entry and enabling less skilled criminals to execute these attacks.

What Banks and Consumers Should Know

Financial institutions are facing mounting pressure to protect their ATM networks from jackpotting attacks, but the responsibility isn't theirs alone. Consumers should remain vigilant and understand that these attacks, while serious, don't typically compromise personal account information or funds. The criminals are stealing the bank's cash reserves, not your money.
Banks are implementing multiple layers of defense to combat this threat. These include enhanced physical security measures like better locks, surveillance cameras, and alarm systems. On the digital side, institutions are deploying endpoint protection software, network segmentation, and real-time monitoring systems designed to detect unusual ATM behavior.
Some banks are also upgrading to newer ATM models with improved security architectures that don't rely on vulnerable Windows systems or outdated XFS implementations. However, this transition is expensive and time-consuming, meaning many older machines remain in service and vulnerable to attack.
If you notice an ATM behaving strangely, such as dispensing cash without a card being inserted or displaying unusual error messages, report it to the bank immediately. While you're unlikely to encounter an active jackpotting attack, your vigilance could help authorities identify compromised machines and prevent further theft.

The Evolution From Security Research to Crime

The techniques used in modern ATM jackpotting have an ironic origin story. In 2010, renowned security researcher Barnaby Jack demonstrated the concept at the Black Hat security conference, forcing an ATM to spit out cash on stage in front of a stunned audience. His goal was to expose vulnerabilities and push manufacturers to improve security, not to enable criminal activity.
Jack's demonstration was a watershed moment that proved ATMs could be compromised, but it remained largely theoretical for years. Security professionals hoped that awareness of the vulnerability would lead to better protections before criminals could exploit it. Unfortunately, that's not what happened.
Over the following decade, the knowledge and tools needed to execute jackpotting attacks gradually leaked into criminal circles. What began as a proof-of-concept security demonstration evolved into a lucrative criminal enterprise. The very techniques Jack used to highlight security flaws became blueprints for theft.
Today's ATM jackpotting criminals stand on the shoulders of security research, using publicly disclosed vulnerabilities and techniques to steal millions. This transformation from academic research to criminal tool highlights the double-edged nature of security disclosure in an interconnected world.

Protecting Against ATM Jackpotting Attacks

Preventing ATM jackpotting requires a comprehensive approach that addresses both physical and digital vulnerabilities. Financial institutions must prioritize regular security audits, timely software updates, and hardware upgrades to newer, more secure ATM models. Multi-factor authentication for ATM maintenance functions can prevent unauthorized access even if physical security is breached.
Network-level protections are equally important. ATMs should be segmented from other bank systems, with strict controls on what commands they can receive and execute. Anomaly detection systems can monitor for unusual dispensing patterns and automatically shut down machines that exhibit suspicious behavior.
Physical security enhancements include better locking mechanisms, tamper-evident seals, and surveillance systems with real-time monitoring. Some banks are experimenting with biometric locks that require authorized personnel's fingerprints or facial recognition to access ATM internals.
The fight against ATM jackpotting is ongoing, with criminals continuously adapting their methods and banks working to stay ahead. Success requires constant vigilance, investment in security infrastructure, and collaboration between financial institutions, law enforcement, and security researchers to share threat intelligence and develop effective countermeasures.