An international terrorist organization orchestrated a massive ATM fraud scheme that netted more than $1 million from credit unions and banks, federal authorities in Nebraska said Thursday.
The superseding indictment, unsealed Wednesday, alleges 54 individuals carried out the operation using advanced surveillance and burglary tactics to install malware in ATMs to steal and launder money, which funded the criminal activities of Tren de Aragua (TdA), a U.S.-designated Foreign Terrorist Organization that originated as a Venezuelan prison gang in the mid-2000s, according to Acting Assistant Attorney General Matthew R. Galeotti of the Justice Department's Criminal Division,
The individuals face multiple charges, including conspiracy to commit bank fraud, bank fraud, conspiracy to commit bank burglary and computer fraud. They allegedly targeted 12 credit unions and 20 banks in Nebraska, where most of the ATM jackpotting attacks occurred, as well as in Utah, Kansas, Washington, Iowa, Oklahoma, Colorado, Tennessee, New York, Missouri, Oregon, Michigan and California.
According to the indictment, the earliest jackpotting attack happened on Feb. 6, 2024, at a Mountain America Credit Union ATM on Redwood Road in Salt Lake City where $56,800 was stolen. The most recent incident occurred July 6, 2025, at a Heartland Bank's ATM in Kearny, Neb., where the conspirators attempted to steal $17,000.
Five other successful attacks on credit union ATMs included:
- Merced School Employees Federal Credit Union (Los Banos, Calif.): $98,400;
- Washington State Employees Credit Union (Evergreen State College campus, Olympia, Wash.): $70,600;
- Foothills Federal Credit Union (Loudon, Tenn.): $66,000;
- Heartland Credit Union (Hutchinson, Kan.): $50,000 (two ATMs at $25,000 each);
- and Five Star Community Credit Union (Mount Pleasant, Iowa): $25,000.
The total loss was $366,800.
Unsuccessful attempts included:
- AmeriCU Credit Union (Rome, N.Y.): $48,156;
- High Point Federal Credit Union (Olean, N.Y.): $153,940;
- First Source Federal Credit Union (Rome, N.Y.): $117,347;
- First Source Federal Credit Union (New Hartford, N.Y.): $96,787;
- Blue Ox Credit Union (Sterling Heights, Mich.): $37,373;
- North Platte Union Pacific Employees Community Credit Union (North Platte, Neb.): $37,460;
- and Trius Federal Credit Union (Kearney, Neb): $15,520.
The total intended loss: $506,583.
Twelve successfully compromised bank ATMs suffered $722,620 in losses. An additional eight unsuccessful attacks involved attempted thefts totaling $515,027. This article's accompanying indictment lists the names and locations of the banks.
The combined total loss from all credit union and bank ATMs: $1,089,420. Total intended loss: $1,021,610.
The conspirators carried out the ATM jackpotting scheme traveling in groups. They communicated with each other using encrypted messaging apps such as Telegram or WhatsApp, and shared guides on deploying malware on the ATMs. They conducted reconnaissance by taking pictures of the exterior of the ATM, its lock and noted any other external security features such as a metal bar that would prevent them from opening the ATM. They also opened the hood or door of the ATM to take photos of the computer within the machine.
After opening the ATM, they would scatter but remain nearby to determine if the ATM had an alarm that triggered a police response. The conspirators also glued or obstructed the sensors on the ATM to prevent it from deploying an alarm.
After they were certain no alarms were triggered, the conspirators installed hard drives preloaded with Ploutus malware—or connected USB drives or laptops to upload it directly. Remote coconspirators then activated the malware to dispense cash. Ploutus malware was designed to send unauthorized commands to the ATM's dispensing system and then erase itself to avoid detection.
After stealing the funds, conspirators on-site kept a portion while the rest was transferred through couriers, funnel bank accounts, Bitcoin ATMs, money transfer services, and payment apps.
One of the individuals named in the indictment is Jimena Romina Araya Navarro, an alleged TdA leader and Venezuelan entertainer who was sanctioned by the U.S. Department of the Treasury's Office of Foreign Assets Control. Navarro was indicted for providing material support to TdA and its nationwide ATM jackpotting scheme.
According to court documents, TdA expanded its criminal network from Venezuela to throughout the Western Hemisphere, including the U.S. The organization's criminal activities are drug trafficking, firearms trafficking, commercial sex trafficking, kidnapping, robbery, theft, fraud, and extortion.
READ MORE: Superseding ATM Jackpotting Indictment.
Peter Strozniak can be reached at peter.strozniak@arc-network.com.
© Touchpoint Markets, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.