A flash alert published on Thursday by the FBI warns of an increase in malware-enabled ATM jackpotting attacks in the United States.
According to the agency, roughly 1,900 ATM jackpotting attacks have been reported since 2020, with more than 700 in 2025 alone. The incidents recorded last year resulted in losses exceeding $20 million.
ATM jackpotting attacks involve physical access to the targeted machine to plant malware that instructs its cash-dispensing module to eject currency.
The US has cracked down on ATM jackpotting, prosecuting dozens of individuals for various roles in such operations. Many of the suspects targeted by the Justice Department in recent months are Venezuelan nationals and they face deportation.
US authorities suggest that multiple malware families are used in ATM jackpotting, but the most frequently named is Ploutus.
Ploutus has been around for more than a decade, but it hasn’t been in the news much since its peak in 2017 and 2018, until recently.
A map published last year by the Justice Department showing the locations of jackpotting incidents in the US suggested that Ploutus has remained active.
The FBI’s latest alert confirms that the malware is still widely used.
“Once Ploutus is installed on an ATM, it gives threat actors direct control over the machine, allowing them to trigger cash withdrawals,” the FBI said. “Ploutus attacks the ATM itself rather than customer accounts, enabling fast cash-out operations that can occur in minutes and are often difficult to detect until after the money is withdrawn.”
“The malware can be used across ATMs of different manufacturers with very little adjustment to the code as the Windows operating system is exploited during the compromise,” the law enforcement agency noted.
The FBI’s alert provides indicators of compromise (IoCs) to help targeted organizations detect attacks, along with recommended mitigations.
However, it’s worth noting that authorities previously mentioned that the Ploutus malware is designed to autonomously delete traces of its own code to deceive forensic investigators and bank employees.
Related: Ivanti Exploitation Surges as Zero-Day Attacks Traced Back to July 2025
Related: OpenClaw Security Issues Continue as SecureClaw Open Source Tool Debuts
Related: PromptSpy Android Malware Abuses Gemini AI at Runtime for Persistence
