The Federal Bureau of Investigation (FBI) has released a flash to disseminate indicators of compromise (IOCs) and technical details associated with malware enabled ATM jackpotting. Threat actors exploit
physical and software vulnerabilities in ATMs and deploy malware to dispense cash without a legitimate transaction. The FBI has observed an increase in ATM jackpotting incidents across the United States. Out of 1,900 ATM jackpotting incidents reported since 2020, over 700 of them with more than $20 million in losses occurred in 2025 alone. This FLASH is being provided to encourage organizations to implement the recommended mitigation steps and to outline the information requested from the public.
Threat actors are deploying ATM jackpotting malware, including the Ploutus family malware, to infect ATMs and force them to dispense cash. Ploutus malware exploits the eXtensions for Financial Services (XFS), the layer of software that instructs an ATM what to physically do. When a legitimate transaction occurs, the ATM application sends instructions through XFS for bank authorization. If a threat actor can issue their own commands to XFS, they can bypass bank authorization entirely and instruct the ATM to dispense cash on demand.
As a result, Ploutus allows threat actors to force an ATM to dispense cash without using a bank card, customer account, or bank authorization. Once Ploutus is installed on an ATM, it gives threat actors direct control over the machine, allowing them to trigger cash withdrawals. Ploutus attacks the ATM itself rather than customer accounts, enabling fast cash-out operations that can occur in minutes and are often difficult to detect until after the money is withdrawn.
Common methods of used to infect ATMs
After gaining access to ATMs, most often by opening an ATM face with widely available generic keys, ATM jackpotting threat actors have used several main methods to deploy malware:
• Criminals remove the ATM’s hard drive, connect it to their computer, copy the malware to the hard drive, return the hard drive to the ATM, and reboot the ATM.
• Criminals remove the ATM’s hard drive, replace it with a foreign hard drive or other external device with preloaded malware, and reboot the ATM.
How ATM malware works
The malware interacts directly with the ATM hardware, bypassing any communications or security of the original ATM software. The malware does not require connection to an actual bank customer account to
dispense cash. The malware can be used across ATMs of different manufacturers with very little adjustment to the code as the Windows operating system is exploited during the compromise.
What are the Physical Indicators of an infected ATM
* ATM door open alerts outside of planned maintenance schedule
* Low/No cash indicators outside of expected use schedule
* Unauthorized devices plugged into the ATM
* Removal of hard drives from ATMs
* ATM unexpectedly out of service
