Dozens more are charged in Ploutus ATM jackpotting conspiracy

Steven

Dozens more are charged in Ploutus ATM jackpotting conspiracy

Summary

The US Department of Justice has unveiled a federal grand jury indictment charging 31 people accused of using Ploutus malware to steal cash from ATMs. Authorities say the group stole at least $5.4 million from at least 63 ATMs between February 2024 and December 2025, many of them belonging to credit unions.

The alleged scheme involved surveilling target machines, opening ATM doors to test alarms, and, when safe, replacing hard drives or inserting thumb drives that deployed Ploutus. The malware enabled attackers to bypass security and command ATMs to dispense cash. Some defendants are alleged members of the Venezuelan gang Tren de Aragua and several are described as undocumented immigrants. Charges include conspiracy to commit bank fraud, bank burglary, and computer fraud. The DOJ had charged 56 others in connection with the same jackpotting campaign the previous month.

Ploutus is a long‑running ATM malware family first spotted by Symantec in 2013 and linked to large jackpotting incidents since then. Security researchers, including teams at Google, have described Ploutus as one of the most advanced ATM malware families, and multiple ATM vendors have been shown to be vulnerable over time.

Key Points

  • The DOJ has charged 31 additional suspects in a Ploutus ATM jackpotting conspiracy.
  • The gang allegedly stole at least $5.4 million from 63 ATMs between Feb 2024 and Dec 2025.
  • Attack method: reconnaissance, physical opening of ATM cabinets to test alarms, then swapping hard drives or inserting USBs loaded with Ploutus.
  • Ploutus can commandeer ATMs to dispense cash by bypassing onboard security controls.
  • Some defendants are accused members of the Venezuelan gang Tren de Aragua; charges include bank fraud, bank burglary and computer fraud.
  • Fifty‑six other suspects were charged in a related action the month before.
  • Ploutus has been active and evolving since 2013; vendors such as Diebold Nixdorf and Kalignite Platform have been identified as affected.

Context and Relevance

This case highlights the persistent threat of ATM jackpotting and the sophistication of malware families like Ploutus. For banks, credit unions and ATM vendors it underscores the need for layered defence: improved physical security on ATM cabinets, stricter access controls for internal components, firmware integrity checks and rapid incident response. For cybersecurity teams and law enforcement it shows how organised criminal groups combine physical and technical tradecraft to monetise longstanding vulnerabilities.

Author style

Punchy: this isn’t just another cyber brief — it’s a reminder that legacy hardware and physical access are still major attack vectors. Read the detail if you work in payments, ATM operations or incident response; it’s directly relevant.

Why should I read this?

Quick heads‑up: if you look after ATMs, payment security, or just track organised cybercrime, this matters. We’ve pulled out the essentials so you don’t have to wade through the whole press release — who was charged, how they did it, how much they stole, and why Ploutus keeps turning up. It’s useful intel for patching, hardening and prioritising risk.

Source

Source: https://therecord.media/dozens-more-charged-ploutus-jackpotting-atm