top of page
Search

FBI Warns of Escalating ATM Jackpotting Attacks, $20M Lost in 2025

  • 4 minutes ago
  • 2 min read

Key Findings


  • The FBI has warned of a sharp rise in ATM jackpotting attacks across the U.S., with losses exceeding $20 million in 2025 alone.

  • Since 2020, about 1,900 incidents have been reported, including 700 last year.

  • Total losses tied to jackpotting have reached roughly $40.7 million since 2021.


Background


  • The jackpotting technique was first proposed by white-hat hacker Barnaby Jack in 2010.

  • Ploutus is one of the most sophisticated ATM malware that was first discovered in Mexico back in 2013.

  • The malicious code allows crooks to steal cash from ATMs using either an external keyboard attached to the machine or by sending SMS messages.

  • In January 2018, experts at FireEye Labs discovered a new version of the Ploutus ATM malware, the so-called Ploutus-D, that works on the KAL's Kalignite multivendor ATM platform.


ATM Jackpotting Attacks


  • Criminals are deploying ATM jackpotting malware such as Ploutus to force cash machines to dispense money without authorization.

  • The malware targets the eXtensions for Financial Services (XFS) layer, which controls ATM hardware.

  • By sending rogue commands directly to XFS, attackers bypass bank approval and trigger withdrawals without cards or accounts.

  • Once installed, Ploutus gives full control of the ATM, enabling fast cash-outs in minutes.

  • To infect machines, attackers usually gain physical access, open the cabinet with generic keys, and either copy malware onto the hard drive or replace it with a preloaded one.

  • Exploiting Windows systems, the malware works across different ATM brands with minimal changes.


Mitigating Jackpotting Risks


  • The FBI has outlined recommendations for organizations to mitigate jackpotting risks, including:

  • Tightening physical security by installing threat sensors, setting up security cameras, and changing standard locks on ATM devices.

  • Auditing ATM devices, changing default credentials, and configuring automatic shutdown mode when indicators of compromise are detected.

  • Enforcing device allowlisting to prevent connection of unauthorized devices and maintaining comprehensive logs.


Sources


  • https://securityaffairs.com/188281/cyber-crime/fbi-warns-of-surge-in-atm-jackpotting-20-million-lost-in-2025.html

  • https://thehackernews.com/2026/02/fbi-reports-1900-atm-jackpotting.html

Recent Posts

See All

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page