More than 700 of the 1,900 ATM jackpotting attacks reported nationwide since 2020 occurred in 2025, causing more than $20 million in losses for credit unions and banks, according to the FBI.
The surge prompted the FBI to release an actionable cyber intelligence statement last week urging organizations to implement recommended mitigation measures to help prevent ATM jackpotting incidents.
Of the 700 reported jackpotting incidents, over 100 have been investigated by federal authorities in Nebraska. Last Friday, a federal grand jury in that state returned an indictment charging six additional individuals in connection with an international criminal organization, Tren de Aragua (TdA), which allegedly carried out more than 100 bank and credit union ATM jackpotting attacks in Nebraska and 15 other states, resulting in more than $6.1 million in losses. The suspects also attempted to steal more than $1.7 million, according to court documents.
The U.S. Attorney's office in Nebraska reported that 93 persons, who were allegedly involved in the ATM scheme, have been indicted. However, the U.S. Attorney's recent news releases showed that 91 individuals have been charged.
The new indictment – the fourth returned by a Nebraska grand jury in the case – alleged the six defendants conspired to defraud financial institutions in Nebraska, Venezuela, Colombia, Mexico, Spain, El Salvador and Honduras.
However, the indictment detailed nearly $160,000 stolen from unidentified banks in Creston, Iowa; Scottsbluff, Neb.; and Montgomery County, Texas. The suspects also attempted to jackpot a bank ATM in Hendersonville, Tenn., and tried to steal $20,000 from an unidentified credit union in Baton Rouge, La. The indictment did not list specific ATM attacks in the foreign countries named.
According to the FBI, the criminals typically use Ploutus malware to infect ATMs and force them to dispense cash. The malware exploits eXtensions for Financial Services, or XFS, the software layer that directs an ATM's functions. During legitimate transactions, ATM applications send instructions through XFS for bank authorization. But when criminals gain the ability to issue their own commands to XFS, they can bypass bank authorization and direct the machine to dispense cash on demand.
As a result, Ploutus allows criminals to withdraw money without using a bank card, member accounts or bank authorization. The malware targets the ATM itself rather than member accounts, enabling rapid cash-out operations that can occur within minutes and often go undetected until after the money is withdrawn.
The FBI's intelligence statement outlined common infection methods and advised organizations on steps to take before modifying ATM systems.
The bureau also recommended specific measures to strengthen physical, hardware and software security.
"The FBI recommends a targeted audit policy focused on removable storage usage, controlled file access, and process creation providing high-fidelity detection of ATM jackpotting activity with minimal system overhead," the statement read. "When combined with gold image integrity validation, this approach enables early identification of physical intrusion and malware staging events that would otherwise evade network-based monitoring."
Peter Strozniak can be reached at peter.strozniak@arc.network.com.
© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.