FBI: More than 700 ATM jackpotting incidents with losses over $20 million occurred in 2025

Steven

FBI: More than 700 ATM jackpotting incidents with losses over $20 million occurred in 2025

Summary

Criminals are increasingly using malware to make ATMs spit out cash without any legitimate transaction. The FBI says it tracked more than 1,900 ATM jackpotting incidents since 2020 and over 700 in 2025 alone, with losses topping $20 million.

Attackers exploit physical access and software weaknesses — notably the XFS layer used by ATM applications — to install malware such as Ploutus. Once installed, this malware can directly command an ATM to dispense cash, bypassing bank authorisation and often working across multiple vendors with minimal code changes.

Key Points

  • The FBI has recorded over 1,900 jackpotting incidents since 2020 and more than 700 in 2025, with combined losses exceeding $20 million.
  • Malware families like Ploutus target the XFS layer on ATMs, enabling attackers to issue cash-dispense commands without customer accounts or bank approval.
  • Typical attack method involves obtaining physical access using widely available generic keys, then removing or replacing the ATM hard drive to load malware.
  • Ploutus has been active since at least 2013, has evolved through multiple variants, and has targeted vendors including Diebold Nixdorf and others.
  • The DOJ recently indicted a gang accused of stealing at least $5.4m from 63 ATMs between Feb 2024 and Dec 2025 using Ploutus-style techniques.
  • These attacks are fast, hard to detect in real time, and can be reused across different ATM models because they exploit the Windows OS and the ATM software stack.

Content summary

The FBI flash alert explains that jackpotting has surged as criminals combine simple physical tactics (generic keys, drive swaps) with sophisticated malware to control ATM hardware via the XFS interface. Ploutus is the most notable family cited — first spotted in 2013 and continually updated — and it allows attackers to dispense cash on demand without interacting with bank systems or customer accounts. Recent DOJ charges show organised groups have exploited these techniques to steal millions from credit unions and other machines.

Context and relevance

This alert matters because it highlights a persistent, evolving threat to bank-owned hardware and smaller financial institutions that may lack hardened physical and software controls. For security teams, cash-handling businesses and regulators, the report underlines the need to tighten physical access, harden OS and XFS configurations, implement tamper alarms and monitoring, and accelerate incident response practices. It also ties into broader trends of hardware-targeted malware and the reuse of toolkits across regions and vendors.

Why should I read this?

Look — if you work with ATMs, run a credit union, or manage payments tech, this is not background noise. It’s proof criminals are combining simple physical hacks with hardened malware to drain machines in minutes. Read this so you know what to lock down, what to watch for, and why your alarms and drive-security matter more than ever.

Author style

Punchy: this is high-risk, ongoing criminal activity that financial and security teams should treat as urgent. If you care about preventing direct cash loss, the details here are worth your time.

Source

Source: https://therecord.media/fbi-atm-jackpotting-2025-report