On May 7 and May 8, the duo allegedly targeted three ATMs of the Bank of Sierra, one at Visalia and two at Tulare. Those jackpot attempts failed.

According to an FBI forensic analysis, the suspects focused on specific ATM models with software, hardware and physical security vulnerabilities.

They honed in on Diebold DN Series and NCR 6888 models, which use a generic key, available online, that unlock the ATM panels.

After gaining access to the ATM, Morantes allegedly removed the hard drive, uploaded the malware offsite and reinstalled it to the ATM’s computer. The FBI forensic analysis also revealed that Morantes allegedly exploited software vulnerabilities in the Activate Enterprise security software by using a wireless keyboard to launch the malware, forcing the ATM to dispense all of its available cash.

On May 23, Morantes also is suspected of jackpotting the $120 million Power Credit Union ATM in Canon City, Colo., allegedly stealing $68,000.

On May 27, he allegedly took $10,000 from a Points West Community Bank (PWCB) ATM in Greeley, Colo., and the following day stole $8,000 from another PWCB ATM in Wellington, Colo.

By 1 a.m. on May 29, Morantes and Gonzalez were in Sidney, Neb., where they allegedly stole $32,000 from another PWCB ATM, according to the criminal complaint.

Federal investigators used ATM surveillance footage, license plate readers, cross-state travel data, social media matching and travel pattern analysis to identify the suspects. Morantes was identified when he removed his mask during an attempted jackpotting at Oregon State Credit Union in Salem, which holds $2.6 billion in assets.

By the end of May, local and federal law enforcement agents tracked one of the suspect’s cars at a hotel in Aurora, Colo., where they were arrested.

After interviewing Morantes and Gonzalez, investigators learned about WhatsApp group chats used to plan and coordinate the jackpotting attacks. In a group with at least 13 members, participants exchanged Google Map locations and ATM photos and discussed tactics, including how to split the stolen money. Morantes led some discussions, while Gonzalez was active in at least two chat groups. One message included a GIF depicting a man standing in front of an ATM dispensing cash.

Morantes and Gonzalez have been charged with conspiracy to steal cash from ATMs. Morantes also faces one count of bank robbery, one count of accessing a protected computer in furtherance of fraud, and three counts of attempting to access a protected computer in furtherance of fraud.

On Monday, Morantes pleaded not guilty during a federal court hearing in Fresno. Gonzalez did not enter a plea during a federal court hearing in Denver on July 3. They both remain in federal custody.

Peter Strozniak can be reached at [email protected].