Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Ploutus malware. Show all posts
XFS API exploitation
ATM jackpotting ATM malware attacks Cyber Attacks cyber physical crime FBI security alert Ploutus malware XFS API exploitation

FBI Warns of Surge in ATM Jackpotting Attacks After $20 Million Stolen in 2025

 

More than $20 million was stolen from compromised ATMs across the United States last year through a growing malware-driven scheme, according to a recent alert from the Federal Bureau of Investigation (FBI). Authorities say the tactic, known as ATM jackpotting, has seen a sharp rise in activity.

ATM jackpotting is a cyber-physical attack in which criminals manipulate both hardware and software weaknesses in ATMs to install malicious programs. Once deployed, the malware forces the machine to release cash on command without approval from the bank. Since 2020, nearly 1,900 such incidents have been recorded, with over 700 reported in 2025 alone, as detailed in a Thursday security advisory.

Attackers typically begin by using universal or generic keys to unlock the ATM cabinet. After gaining access, they either remove the machine’s hard drive to load malware onto it before reinstalling it, or swap it entirely with a pre-infected drive containing jackpotting software.

One of the most frequently used tools in these operations is Ploutus malware. This malicious program targets eXtensions for Financial Services (XFS), an open-standard API that enables ATMs and point-of-sale systems to communicate with banking applications across different hardware providers. 

Under normal conditions, XFS allows banking software to process transactions and authorize cash withdrawals. However, the malware manipulates this system, letting attackers send unauthorized commands that trigger the ATM to dispense money instantly.

Unlike card skimming schemes that compromise customer data and PIN numbers, jackpotting attacks primarily impact financial institutions. Banks and ATM operators bear the financial losses, which total tens of millions of dollars annually. These incidents are also challenging to detect in real time, often only becoming apparent after funds have already been removed.

In its latest advisory, the FBI outlined several warning signs for ATMs operating on Windows systems. These include suspicious executable files and scripts, unusual system event IDs linked to USB device insertions, missing hard drives, unauthorized hardware connected to the machine, and unexpected “out of cash” notifications. Financial institutions are urged to review these indicators closely to prevent further exploitation
Read more »
US Department Of Justice
ATM hacking scheme ATM jackpotting Cyber Security Ploutus malware Tren de Aragua US Department Of Justice

US DoJ Charges 54 Linked to ATM Jackpotting Scheme Using Ploutus Malware, Tied to Tren de Aragua

 

The U.S. Department of Justice (DoJ) has revealed the indictment of 54 people for their alleged roles in a sophisticated, multi-million-dollar ATM jackpotting operation that targeted machines across the United States.

According to authorities, the operation involved the use of Ploutus malware to compromise automated teller machines and force them to dispense cash illegally. Investigators say the accused individuals are connected to Tren de Aragua (TdA), a Venezuelan criminal group that the U.S. State Department has classified as a foreign terrorist organization.

The DoJ noted that in July 2025, the U.S. government imposed sanctions on TdA’s leader, Hector Rusthenford Guerrero Flores, also known as “NiƱo Guerrero,” along with five senior members. They were sanctioned for alleged involvement in crimes including “illicit drug trade, human smuggling and trafficking, extortion, sexual exploitation of women and children, and money laundering, among other criminal activities.”

An indictment returned on December 9, 2025, charged 22 individuals with offenses such as bank fraud, burglary, and money laundering. Prosecutors allege that TdA used ATM jackpotting attacks to steal millions of dollars in the U.S. and distribute the proceeds among its network.

In a separate but related case, another 32 defendants were charged under an indictment filed on October 21, 2025. These charges include “one count of conspiracy to commit bank fraud, one count of conspiracy to commit bank burglary and computer fraud, 18 counts of bank fraud, 18 counts of bank burglary, and 18 counts of damage to computers.”

If found guilty, the defendants could face sentences ranging from 20 years to as much as 335 years in prison.

“These defendants employed methodical surveillance and burglary techniques to install malware into ATM machines, and then steal and launder money from the machines, in part to fund terrorism and the other far-reaching criminal activities of TDA, a designated Foreign Terrorist Organization,” said Acting Assistant Attorney General Matthew R. Galeotti of the Justice Department’s Criminal Division.

Officials explained that the scheme relied on recruiting individuals to physically access ATMs nationwide. These recruits reportedly carried out reconnaissance to study security measures, tested whether alarms were triggered, and then accessed the machines’ internal components.

Once access was obtained, the attackers allegedly installed Ploutus either by swapping the ATM’s hard drive with a preloaded one or by using removable media such as a USB drive. The malware can send unauthorized commands to the ATM’s Cash Dispensing Module, causing it to release money on demand.

“The Ploutus malware was also designed to delete evidence of malware in an effort to conceal, create a false impression, mislead, or otherwise deceive employees of the banks and credit unions from learning about the deployment of the malware on the ATM,” the DoJ said. “Members of the conspiracy would then split the proceeds in predetermined portions.”

Ploutus first surfaced in Mexico in 2013. Security firms later documented its evolution, including its exploitation of vulnerabilities in Windows XP-based ATMs and its ability to control Diebold machines running multiple Windows versions.

“Once deployed to an ATM, Ploutus-D makes it possible for a money mule to obtain thousands of dollars in minutes,” researchers noted. “A money mule must have a master key to open the top portion of the ATM (or be able to pick it), a physical keyboard to connect to the machine, and an activation code (provided by the boss in charge of the operation) in order to dispense money from the ATM.”

The DoJ estimates that since 2021, at least 1,529 jackpotting incidents have occurred in the U.S., resulting in losses of approximately $40.73 million as of August 2025.

“Many millions of dollars were drained from ATM machines across the United States as a result of this conspiracy, and that money is alleged to have gone to Tren de Aragua leaders to fund their terrorist activities and purposes,” said U.S. Attorney Lesley Woods
Read more »
Subscribe to: Comments (Atom)