ATM Jackpotting Attacks Surge In 2025 With Millions Stolen

Cybersecurity authorities are reporting an increase in coordinated attacks against automated teller machines, where criminals manipulate devices to release cash illegally. Recent findings highlight a sharp escalation in activity during 2025.

Good to Know

• More than 700 ATM attacks were recorded during 2025.
• Criminal groups stole at least 20 million dollars through jackpotting schemes.
• Ploutus malware gives attackers direct control over compromised machines.

ATM Jackpotting Moves From Research Demo To Criminal Tactic

ATM jackpotting first drew public attention in 2010 when security researcher Barnaby Jack demonstrated a live exploit at the Black Hat conference, forcing a machine to eject cash onstage. What once served as a proof of concept has since evolved into an organized criminal method targeting financial infrastructure worldwide.

A new FBI security bulletin states that attackers now combine physical access with software based intrusion techniques. Individuals may use generic master keys to open ATM panels, connect external devices to internal hardware, and install malicious programs designed to override normal transaction controls.

One of the primary tools identified is Ploutus malware, which targets machines running Windows based operating environments commonly used by ATM manufacturers. Once installed, Ploutus allows operators to send commands that trigger rapid cash disbursement without interacting with customer bank accounts.

Attack method focuses on the machine itself rather than account data, allowing criminals to bypass traditional fraud detection systems tied to card usage or transaction monitoring.

Ploutus exploits XFS, known as Extensions for Financial Services, a software layer that enables communication between ATM components such as the PIN keypad, card reader, and cash dispenser. By manipulating that interface, attackers can instruct the dispenser to release banknotes on command.

Federal investigators noted that such attacks can be completed within minutes, often before institutions detect abnormal activity.

“Ploutus attacks the ATM itself rather than customer accounts, enabling fast cash-out operations that can occur in minutes and are often difficult to detect until after the money is withdrawn,” according to the FBI bulletin.

Security specialists now warn that financial institutions must strengthen both physical safeguards and endpoint protection to counter threats that blend on site intrusion with targeted malware deployment.

FAQ

What is ATM jackpotting?

A form of attack where criminals force a machine to dispense cash by manipulating hardware or installing malware rather than stealing from accounts.

How widespread were attacks in 2025?

FBI data recorded more than 700 incidents, resulting in at least 20 million dollars in losses.

What is Ploutus malware?

A program that takes control of ATM operations by exploiting Windows systems and XFS communication software.

Do attacks target customer bank accounts?

No. Method focuses on the ATM device itself, allowing cash withdrawal without accessing personal account information.

Why are these attacks hard to detect?

Operations occur quickly and bypass many traditional fraud monitoring tools tied to digital transactions.