top of page
Search

Indictment of 54 in ATM Jackpotting Ring by DoJ

  • Dec 20, 2025
  • 3 min read

Key Findings


  • The U.S. Department of Justice has indicted 54 individuals over a multi-million-dollar ATM jackpotting fraud scheme.

  • The crimes are linked to the cybercrime group Tren de Aragua (TdA), including charges of fraud, money laundering, and material support to a terrorist organization.

  • ATM jackpotting is a type of cyber-enabled bank robbery where criminals infect an ATM with malware or use physical access to force it to dispense cash.

  • The conspiracy used a malware strain called Ploutus to break into ATMs and force them to release cash.

  • Recruited crews traveled across the U.S., scouting banks and credit unions and checking security around ATMs.

  • After emptying the machines, the groups divided the stolen money based on prearranged shares.

  • Ploutus malware was first spotted in Mexico in 2013 and could control Diebold ATMs on multiple Windows versions.


Background


ATM jackpotting is a type of cyber-enabled bank robbery in which criminals infect an ATM with malware or use physical access to force it to dispense cash on demand. Instead of stealing cards or PINs, attackers break into the ATM's internal system, usually by opening the cabinet, connecting a device, or replacing the hard drive. Once inside, they run malicious software that sends unauthorized commands to the cash dispenser, causing the machine to "jackpot" and release all available money. The attackers then collect the cash and leave, often within minutes, without alerting customers or triggering immediate alarms.


The Conspiracy


The U.S. Department of Justice (DoJ) this week announced the indictment of 54 individuals in connection with a multi-million dollar ATM jackpotting scheme. The large-scale conspiracy involved deploying malware named Ploutus to hack into automated teller machines (ATMs) across the U.S. and force them to dispense cash.


The indicted members are alleged to be part of Tren de Aragua (TdA, Spanish for "the train of Aragua"), a Venezuelan gang designated a foreign terrorist organization by the U.S. State Department. Prosecutors allege that TdA has leveraged jackpotting schemes to siphon millions of dollars in the U.S. and transfer the ill-gotten proceeds among its members and associates.


The jackpotting operation is said to have relied on the TdA recruiting an unspecified number of individuals to deploy the Ploutus malware across the nation. These individuals would conduct initial reconnaissance to assess external security measures installed at various ATMs and then attempt to open the ATM's hood to check if they triggered any alarm or a law enforcement response.


Following this step, the threat actors would install Ploutus by either replacing the hard drive with one that came preloaded with the malicious program or by connecting a removable thumb drive. The malware is equipped to issue unauthorized commands associated with the Cash Dispensing Module of the ATM in order to force currency withdrawals. It was also designed to delete evidence of its presence to conceal the attack.


After emptying the machines, the groups divided the stolen money based on prearranged shares.


Impact and Prosecution


According to the agency, a total of 1,529 jackpotting incidents have been recorded in the U.S. since 2021, with about $40.73 million lost to the international criminal network as of August 2025.


If convicted, some defendants face sentences ranging from 20 to 335 years in prison. "Many millions of dollars were drained from ATM machines across the United States as a result of this conspiracy, and that money is alleged to have gone to Tren de Aragua leaders to fund their terrorist activities and purposes," U.S. Attorney Lesley Woods said.


The Ploutus malware was first detected in Mexico in 2013 and was later found to be capable of controlling Diebold ATMs on multiple Windows versions, enabling rapid cash theft with physical access and activation codes.


Sources


  • https://securityaffairs.com/185908/cyber-crime/atm-jackpotting-ring-busted-54-indicted-by-doj.html

  • https://thehackernews.com/2025/12/us-doj-charges-54-in-atm-jackpotting.html

  • https://x.com/shah_sheikh/status/2002497667033714817

Recent Posts

See All
Defeating AI with AI

Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profil

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page