The FBI warned that Americans lost more than $20 million last year amid a massive surge in ATM “jackpotting” attacks, in which criminals use malware to force cash machines to dispense money.
According to a Thursday FBI flash alert, more than 700 ATM jackpotting incidents were reported last year alone in a significant spike compared to the roughly 1,900 total incidents reported across the United States since 2020.
These attacks can be carried out in minutes and target the software layer controlling an ATM’s physical hardware, using malicious tools such as the Ploutus malware. Most often, they go undetected by financial institutions and ATM operators until the cash is already gone.
As the FBI explained, cash machines are designed to verify transactions through their bank before dispensing cash. However, Ploutus bypasses this process entirely, allowing the criminals to issue commands directly to the ATM and trigger withdrawals on demand without a bank card, a customer account, or the bank’s approval.
“Ploutus malware exploits the eXtensions for Financial Services (XFS), the layer of software that instructs an ATM what to physically do. When a legitimate transaction occurs, the ATM application sends instructions through XFS for bank authorization,” the FBI said. “If a threat actor can issue their own commands to XFS, they can bypass bank authorization entirely and instruct the ATM to dispense cash on demand.”
To install the malware, the attackers usually gain physical access to the targeted ATM using widely available generic keys. Once inside, they remove the machine’s hard drive, copy malware onto it and reinstall it, or even swap the original drive out entirely for another one preloaded with the malicious software.
To defend against these attacks, the FBI encouraged financial institutions to audit their ATM systems for signs of unauthorized removable storage use and unauthorized processes.
“When combined with gold image integrity validation, this approach enables early identification of physical intrusion and malware staging events that would otherwise evade network-based monitoring,” the law enforcement agency added.
FBI’s warning comes after a wave of arrests targeting members of the Tren de Aragua (TdA) gang, all linked to a massive ATM jackpotting scheme that used Ploutus malware to steal millions in cash from bank ATMs across the United States.
In total, the U.S. Department of Justice has charged 87 Tren de Aragua members over the past six months, who are now facing maximum prison terms ranging from 20 to 335 years each.
Modern IT infrastructure moves faster than manual workflows can handle.
In this new Tines guide, learn how your team can reduce hidden manual delays, improve reliability through automated response, and build and scale intelligent workflows on top of tools you already use.
