ATM jackpotting attacks surged dramatically in 2025, with cybercriminals using specialized malware to force cash machines to spit out money on command, often without touching any customer account. This new wave of attacks exposed serious weaknesses in how banks protect the physical and digital components of their ATM fleets.
According to FBI figures, there have been about 1,900 reported ATM jackpotting cases in the United States since 2020, and more than 700 of those incidents occurred in 2025 alone, causing over 20 million dollars in losses. The attacks rely heavily on malware families such as Ploutus, which has been around for over a decade but continues to evolve. Instead of targeting customer accounts, Ploutus directly compromises the ATM’s operating system, allowing crooks to drain cassettes in minutes before anyone notices something is wrong.
To execute a jackpotting operation, attackers first need physical access to the machine’s internals. The FBI notes that gangs often use widely available “generic” keys to open the service panel, then remove or connect to the hard drive or USB ports. Once inside, they either load malware onto the existing drive or swap in a pre‑infected disk that boots a compromised operating system capable of issuing unauthorized dispense commands. In many cases, a mule returns later, enters a secret code or connects a device, and collects the cash as the ATM empties itself.
What makes these operations so dangerous is that the malware can bypass normal bank authorization checks and trigger cash withdrawals without a card, PIN, or even a linked account.Because the machine behaves as if it is performing legitimate transactions, banks often only discover the theft after reconciling cash levels and seeing large, unexplained shortages. The U.S. Justice Department has already charged dozens of suspects in jackpotting schemes, including crews tied to transnational criminal groups accused of stealing millions of dollars from victim banks and credit unions.
In response, the FBI and regulators are urging financial institutions and ATM operators to harden both physical and software defenses. Recommended steps include replacing standard locks, reinforcing ATM cabinets, keeping systems fully patched, and closely monitoring machines for signs of tampering or unexpected restarts. As 2026, ATM jackpotting has become a priority threat for the banking sector, underlining the need for continuous security upgrades and better coordination between banks, law enforcement, and cybersecurity teams.
