More than $20 million was stolen from compromised ATMs across the United States last year through a growing malware-driven scheme, according to a recent alert from the Federal Bureau of Investigation (FBI). Authorities say the tactic, known as ATM jackpotting, has seen a sharp rise in activity.
ATM jackpotting is a cyber-physical attack in which criminals manipulate both hardware and software weaknesses in ATMs to install malicious programs. Once deployed, the malware forces the machine to release cash on command without approval from the bank. Since 2020, nearly 1,900 such incidents have been recorded, with over 700 reported in 2025 alone, as detailed in a Thursday security advisory.
Attackers typically begin by using universal or generic keys to unlock the ATM cabinet. After gaining access, they either remove the machine’s hard drive to load malware onto it before reinstalling it, or swap it entirely with a pre-infected drive containing jackpotting software.
One of the most frequently used tools in these operations is Ploutus malware. This malicious program targets eXtensions for Financial Services (XFS), an open-standard API that enables ATMs and point-of-sale systems to communicate with banking applications across different hardware providers.
Under normal conditions, XFS allows banking software to process transactions and authorize cash withdrawals. However, the malware manipulates this system, letting attackers send unauthorized commands that trigger the ATM to dispense money instantly.
Unlike card skimming schemes that compromise customer data and PIN numbers, jackpotting attacks primarily impact financial institutions. Banks and ATM operators bear the financial losses, which total tens of millions of dollars annually. These incidents are also challenging to detect in real time, often only becoming apparent after funds have already been removed.
In its latest advisory, the FBI outlined several warning signs for ATMs operating on Windows systems. These include suspicious executable files and scripts, unusual system event IDs linked to USB device insertions, missing hard drives, unauthorized hardware connected to the machine, and unexpected “out of cash” notifications. Financial institutions are urged to review these indicators closely to prevent further exploitation
