The U.S. Department of Justice (DoJ) has revealed the indictment of 54 people for their alleged roles in a sophisticated, multi-million-dollar ATM jackpotting operation that targeted machines across the United States.
According to authorities, the operation involved the use of Ploutus malware to compromise automated teller machines and force them to dispense cash illegally. Investigators say the accused individuals are connected to Tren de Aragua (TdA), a Venezuelan criminal group that the U.S. State Department has classified as a foreign terrorist organization.
The DoJ noted that in July 2025, the U.S. government imposed sanctions on TdA’s leader, Hector Rusthenford Guerrero Flores, also known as “NiƱo Guerrero,” along with five senior members. They were sanctioned for alleged involvement in crimes including “illicit drug trade, human smuggling and trafficking, extortion, sexual exploitation of women and children, and money laundering, among other criminal activities.”
An indictment returned on December 9, 2025, charged 22 individuals with offenses such as bank fraud, burglary, and money laundering. Prosecutors allege that TdA used ATM jackpotting attacks to steal millions of dollars in the U.S. and distribute the proceeds among its network.
In a separate but related case, another 32 defendants were charged under an indictment filed on October 21, 2025. These charges include “one count of conspiracy to commit bank fraud, one count of conspiracy to commit bank burglary and computer fraud, 18 counts of bank fraud, 18 counts of bank burglary, and 18 counts of damage to computers.”
If found guilty, the defendants could face sentences ranging from 20 years to as much as 335 years in prison.
“These defendants employed methodical surveillance and burglary techniques to install malware into ATM machines, and then steal and launder money from the machines, in part to fund terrorism and the other far-reaching criminal activities of TDA, a designated Foreign Terrorist Organization,” said Acting Assistant Attorney General Matthew R. Galeotti of the Justice Department’s Criminal Division.
Officials explained that the scheme relied on recruiting individuals to physically access ATMs nationwide. These recruits reportedly carried out reconnaissance to study security measures, tested whether alarms were triggered, and then accessed the machines’ internal components.
Once access was obtained, the attackers allegedly installed Ploutus either by swapping the ATM’s hard drive with a preloaded one or by using removable media such as a USB drive. The malware can send unauthorized commands to the ATM’s Cash Dispensing Module, causing it to release money on demand.
“The Ploutus malware was also designed to delete evidence of malware in an effort to conceal, create a false impression, mislead, or otherwise deceive employees of the banks and credit unions from learning about the deployment of the malware on the ATM,” the DoJ said. “Members of the conspiracy would then split the proceeds in predetermined portions.”
Ploutus first surfaced in Mexico in 2013. Security firms later documented its evolution, including its exploitation of vulnerabilities in Windows XP-based ATMs and its ability to control Diebold machines running multiple Windows versions.
“Once deployed to an ATM, Ploutus-D makes it possible for a money mule to obtain thousands of dollars in minutes,” researchers noted. “A money mule must have a master key to open the top portion of the ATM (or be able to pick it), a physical keyboard to connect to the machine, and an activation code (provided by the boss in charge of the operation) in order to dispense money from the ATM.”
The DoJ estimates that since 2021, at least 1,529 jackpotting incidents have occurred in the U.S., resulting in losses of approximately $40.73 million as of August 2025.
“Many millions of dollars were drained from ATM machines across the United States as a result of this conspiracy, and that money is alleged to have gone to Tren de Aragua leaders to fund their terrorist activities and purposes,” said U.S. Attorney Lesley Woods
