FBI Warns Hackers Steal Millions From ATMs

Bill Thompson
By Bill Thompson
News
6 Min Read

The FBI is warning financial institutions and ATM operators that criminal groups are increasingly “jackpotting” cash machines across the United States, siphoning off millions of dollars by exploiting both software flaws and physical access. The alert underscores a rapid rise in coordinated heists that target the machine itself rather than customer accounts.

FBI Flags Surge in ATM Jackpotting Across the U.S.

According to a recent FBI bulletin, agents have tracked more than 1,900 jackpotting incidents reported since 2020, with over 700 cases in 2025 alone leading to losses exceeding $20 million. Investigators say the trend reflects better-resourced, more disciplined crews and a mature criminal ecosystem that now treats ATM cash-outs as repeatable operations.

Table of Contents
A persons hand inserting a blue credit card into an ATM machine.

Federal authorities characterize the attacks as “logical” compromises—using malware or unauthorized electronics—often paired with quick, low-tech tampering to reach ports or internal components. The U.S. Secret Service has previously documented similar campaigns, and European industry groups such as the European ATM Security Team have reported waves of related “black box” activity in recent years.

How the ATM Jackpotting Heists Typically Work

Jackpotting manipulates the dispenser to spit out cash without recording a legitimate withdrawal. Crews typically gain brief physical access to a unit, defeat basic protections, and then interact with the machine’s software stack or dispenser controller using illicit tools. The result is a rapid series of unlogged payouts that can empty cassettes in minutes, frequently before operators notice a problem.

Investigators differentiate between on-machine malware attacks and “black box” operations. In the former, malicious code runs on the ATM’s computer; in the latter, criminals attach an external device that sends unauthorized commands to the dispenser. In both cases, the transaction host and bank ledger aren’t consulted, which is why these crimes harm the ATM owner or processor rather than draining customer balances.

Why Ploutus Malware Remains Potent for ATM Theft

A key enabler is Ploutus, a long-running malware family first seen in Latin America and later adapted to U.S. and European models. Security firms including Mandiant have documented how Ploutus variants interface with ATM middleware layers, such as XFS-based components, to issue dispenser commands. Once installed, operators—often called “money mules” in law-enforcement parlance—can trigger fast cash-outs without touching any cardholder data.

The FBI notes that Ploutus-style attacks focus on the terminal, not the bank core. That focus makes the thefts swift and hard to spot; reconciliation mismatches or empty cassettes may be the first signs something is wrong. Criminal groups also rotate tactics, which helps them bypass simple rules-based detection and frustrates after-the-fact forensics.

Who Is Most at Risk from ATM Jackpotting Attacks

Off-premises ATMs—those in convenience stores, hotels, or standalone kiosks—are disproportionately targeted because they tend to have fewer physical controls and limited after-hours oversight. Older terminals running outdated operating systems or unpatched firmware are also common victims. The Secret Service’s first confirmed U.S. jackpotting cases in 2018 involved legacy models, a pattern that persists as criminals scout for the path of least resistance.

Two open suitcases filled with stacks of cash, with police officers and other individuals standing in the background.

What Banks and ATM Operators Can Do Right Now

Law enforcement and industry groups recommend layered defenses. Priorities include:

  • Hardening XFS/middleware configurations
  • Enforcing BIOS and boot protections
  • Encrypting and whitelisting software on the ATM
  • Disabling or securing internal ports
  • Adding tamper sensors
  • Segmenting ATM networks from other systems

Vendors and the ATM Industry Association have also urged rapid deployment of vendor patches and stronger authentication between the ATM PC and dispenser.

Operationally, institutions can:

  • Raise alarms on unusual dispenser activity
  • Implement cash-level limits per time window
  • Correlate service calls with access events

Many successful cases involve mules posing as technicians; better access auditing, two-person maintenance rules, and video verification can disrupt that ruse. The FBI encourages operators to preserve logs and video and to contact agents promptly if suspicious activity is detected.

What Consumers Should Know About ATM Jackpotting

Jackpotting targets the machine, not your bank account. Consumers are typically not liable for these losses, and funds in insured accounts remain protected. Still, experts recommend ordinary vigilance—report obvious signs of tampering, avoid using ATMs with loose panels or missing security seals, and monitor statements for anomalies.

The broader takeaway is clear: as banks have improved card security and fraud monitoring, criminals have shifted to attacking the terminal layer itself. The FBI’s warning signals that the window for patching older fleets and tightening procedures is closing—and that institutions slow to act risk being the next casino for a criminal “jackpot.”

Bill Thompson
ByBill Thompson
Bill Thompson is a veteran technology columnist and digital culture analyst with decades of experience reporting on the intersection of media, society, and the internet. His commentary has been featured across major publications and global broadcasters. Known for exploring the social impact of digital transformation, Bill writes with a focus on ethics, innovation, and the future of information.
Latest News