The FBI has issued a flash security alert revealing a sharp increase in automated teller machine (ATM) “jackpotting” attacks across the United States, with more than 700 such incidents occurring in 2025 that collectively netted cybercriminals over $20 million. These crimes involve physical and digital breaches of ATM hardware, often using generic keys to gain access and installing malware like Ploutus that manipulates the machine to dispense cash on demand without any legitimate transaction or bank authorization. Since 2020, roughly 1,900 ATM jackpotting cases have been reported, illustrating a concerning trend in cyber-physical attacks that exploit software vulnerabilities and weak physical security measures within ATM infrastructure. The FBI’s warning underscores the need for financial institutions to adopt stronger physical safeguards, updated security protocols, and advanced monitoring to mitigate the growing threat. These incidents differ from traditional card fraud or skimming, focusing instead on direct exploitation of machines themselves and represent a persistent risk to banks and ATM operators. Sources below provide detailed insights into how these attacks work, the scale of the threat, and the FBI’s guidance for preventing future losses.
Sources
https://techcrunch.com/2026/02/19/fbi-says-atm-jackpotting-attacks-are-on-the-rise-and-netting-hackers-millions-in-stolen-cash/
https://www.securityweek.com/fbi-20-million-losses-caused-by-700-atm-jackpotting-attacks-in-2025/
https://www.bitdefender.com/en-us/blog/hotforsecurity/cybercriminals-stole-20-million-forcing-atm-spit-out-cash-fbi
Key Takeaways
• The FBI reports more than 700 ATM jackpotting attacks in 2025 alone, with losses exceeding $20 million, part of nearly 1,900 cases since 2020.
• Malware such as Ploutus, combined with physical access techniques like generic keys, enables criminals to control ATMs and force cash dispensation without bank authorization.
• Financial institutions are urged to strengthen both physical and digital defenses to combat this growing cyber-physical crime trend.
In-Depth
The Federal Bureau of Investigation’s recent flash alert on ATM jackpotting shines a spotlight on a growing form of crime that blurs the lines between traditional bank robbery and sophisticated cyberattack. Unlike skimming schemes that steal customer card data or phishing campaigns that trick individuals into revealing sensitive information, jackpotting targets the machines themselves. By exploiting physical access vulnerabilities and outdated software, hackers are tricking cash dispensers into releasing funds on command, leaving financial institutions — not customers — to absorb the losses. According to law enforcement data, more than 700 jackpotting attacks occurred in 2025 alone, resulting in over $20 million in stolen cash, and bringing the total number of incidents since 2020 to nearly 1,900. These figures suggest not just occasional criminal activity but a trend that has rapidly migrated from isolated demonstrations of vulnerability to a recurring threat that serious actors are monetizing.
At the heart of many of these attacks is the Ploutus family of malware, a malicious code suite that exploits the eXtensions for Financial Services (XFS) software layer used by many ATMs worldwide. XFS is designed to serve as the middleman between an ATM’s operating system — often a version of Microsoft Windows — and its hardware components, such as the cash dispenser and card reader. Once installed, Ploutus can bypass the normal bank authorization process, issuing rogue commands that instruct the machine to dispense cash without a legitimate transaction. Because this malware interacts directly with hardware instructions, it does not need to compromise customer accounts and often goes undetected until after the cash has been withdrawn.
The typical jackpotting playbook begins with criminals gaining physical access to the ATM’s internals. Many machines use widely available “generic” keys to open their front panels, a legacy security practice that was never designed to withstand coordinated criminal efforts. Once inside, attackers may remove the ATM’s hard drive, connect it to their own equipment, and install malware before reinstalling it, or they may replace the original drive entirely with one preloaded with malicious software. In both cases, the result is the same: the compromised ATM becomes a tool for illicit cash withdrawals at the attacker’s direction.
The FBI’s alert emphasizes that these attacks continue to evolve, often involving relatively simple physical breaches combined with increasingly sophisticated malware strains. The Ploutus family — first observed more than a decade ago — remains a dominant tool in the jackpotting arsenal, partly because it can be adapted to different ATM models with minimal code changes due to its reliance on the common Windows and XFS framework. Security experts warn that many ATM operators have failed to adequately update software and strengthen physical safeguards, leaving machines running outdated operating systems and relying on default security practices that are easily subverted.
To counter this trend, the FBI recommends a multilayered defense strategy. Physical security measures should include replacing generic keys with unique, tamper-resistant locks, enhancing surveillance systems around ATMs, and installing sensors that detect unauthorized access attempts. On the cyber front, financial institutions should maintain up-to-date software, implement application whitelisting to prevent unauthorized code execution, and conduct regular audits of machine integrity. Network monitoring and endpoint detection systems can help identify suspicious activity indicative of a potential jackpotting attempt, and staff training is essential to ensure rapid response when indicators of compromise arise.
The rise in ATM jackpotting illustrates the persistent adaptability of criminal enterprises to exploit technological systems. As financial infrastructure becomes more computerized and interconnected, the incentive for attackers to find and monetize vulnerabilities increases. While customers may not see their individual accounts directly affected by these incidents, the financial institutions that operate ATMs face significant financial and reputational risks. Vigilance, investment in updated security measures, and collaboration across the banking sector are crucial to mitigating this growing threat. Without proactive defenses, cyber-physical attacks like jackpotting could become a regular feature of the criminal landscape, imposing mounting losses on the banking system and challenging traditional approaches to financial security.