The Federal Bureau of Investigation is warning that ATM “jackpotting” attacks have been surging across the United States, draining millions from banks.
Released on Feb. 19, the law enforcement agency’s new report has highlighted that criminals are exploiting both physical access and malware to empty machines without touching customer accounts.
Jackpotting is a multi-step process. First, attackers use widely sold generic keys to open the front panel. Then, they pull out the hard drive and load it with Ploutus-family malware on their own computer, or swap in a pre-infected drive.
Once that is complete they reinstall the drive, reboot the machine and the malware completely takes over. It bypasses the bank’s authorization process by issuing direct commands through the ATM’s XFS software layer — the same middleware that normally tells the cash dispenser what to do during a legitimate withdrawal.
This gets the machine to spit its guts out on demand within a matter of minutes, completely draining it of cash. No card, personal identification number (PIN) or connection to the bank is necessary.
Numbers from the FBI are showing rapid growth in this type of theft. Since 2020, the bureau has tracked approximately 1,900 incidents nationwide. More than 700 of these struck in 2025 alone, costing financial institutions over US$20 million last year.
Thieves responsible strike swiftly, leaving a minimal digital trace on bank networks and disappearing before anybody notices the money is gone.
The history of ATM theft is a long evolving story. Early criminals attached skimmers to steal card data or simply smashed machines for the cash inside. By the mid-2010s, sophisticated crews shifted to malware. The Ploutus family of malware first appeared around 2013, and variants continue to improve.
Jackpotting represents the latest and most advanced technique. Attackers now combine cheap physical tools and malicious software targeting Windows operating systems to turn ATMs into personal cash machines. Unlike card-skimming operations that harvest data for later fraud, jackpotting delivers instant money straight from the vault that is difficult to trace.
Banks and ATM operators are currently working to add better locking systems, hard-drive encryption, device whitelisting/allowlisting tech and real-time sensors to combat the troubling trend.
Read more: Chinese officials ban local firms from using Israeli or U.S. cybersecurity software
Follow Rowan Dunne on LinkedIn
rowan@mugglehead.com
