The Federal Bureau of Investigations (FBI) has issued a stark warning about a dramatic rise in ATM jackpotting attacks, a sophisticated form of cyber-enabled theft that allows criminals to force automated teller machines to dispense large sums of cash without any legitimate transaction. In a recent flash alert, the bureau highlighted that more than 700 such incidents occurred in 2025 alone, resulting in losses exceeding $20 million for financial institutions and ATM operators across the United States.
This surge represents a significant portion of the nearly 1,900 jackpotting cases documented nationwide since 2020, underscoring how quickly this threat has escalated in recent years.
ATM jackpotting typically involves criminals gaining physical access to a machine—often by prying open panels or tampering with ports—to install malware or unauthorized hardware.
Once infected, the device can be commanded to eject cash on demand, bypassing normal authorization processes from the bank.
A key culprit remains the Ploutus family of malware, which has persisted for over a decade and exploits vulnerabilities in the ATM’s eXtensions for Financial Services (XFS) software layer.
This layer handles physical commands like dispensing currency, enabling attackers to issue direct instructions without needing to compromise customer accounts or card details.
The attacks blend physical intrusion with digital exploitation, making them particularly challenging to prevent.
Perpetrators often target standalone or less-secure ATMs in remote locations, working quickly to extract funds before alarms or monitoring trigger a response.
The FBI‘s advisory notes that these operations are increasingly organized, with some linked to broader criminal networks profiting from stolen cash.
The sharp uptick in 2025 has prompted renewed calls for vigilance among banks, credit unions, and independent ATM deployers.
Experts point to outdated software, weak physical security measures, and delayed patching as contributing factors that leave machines vulnerable.
In response, the FBI has shared indicators of compromise, including specific file names and behaviors associated with jackpotting malware, along with recommended defenses such as enhanced surveillance, restricted access to ATM internals, regular firmware updates, and network segmentation to limit malware spread.
Financial institutions are urged to implement multilayered protections, including intrusion detection systems tailored to ATM environments and employee training to spot tampering signs.
As cybercriminals continue refining these techniques, the alert serves as a timely reminder that legacy banking hardware remains a lucrative target in the evolving landscape of financial crime.
This wave of attacks not only drains cash reserves but also erodes public confidence in everyday banking infrastructure. With millions already lost and the potential for further escalation, proactive security investments are essential to stem the tide of jackpotting before it becomes more widespread.