The Federal Bureau of Investigation has issued a nationwide alert to banks and financial institutions, warning of a significant rise in ATM jackpotting attacks, a form of cyber-enabled theft that forces machines to dispense cash without legitimate transactions. Authorities say the trend is accelerating, with financial losses mounting as criminal groups refine their techniques and expand operations across the United States.
According to federal officials, nearly 1,900 ATM jackpotting incidents have been reported nationwide since 2020. More than 700 of those cases occurred in 2025 alone, resulting in losses exceeding $20 million. The sharp increase has prompted urgent calls for banks to strengthen ATM security controls, monitor suspicious activity more closely, and share threat intelligence with law enforcement.
At the center of the surge is malware from the Ploutus family, a tool specifically designed to hijack ATM systems. Rather than targeting individual customer accounts, the malware attacks the machine’s internal software layer. It exploits the Extensions for Financial Services, or XFS, which normally manages how ATMs physically dispense cash. By injecting unauthorized commands into this layer, attackers can override standard authorization checks and trigger withdrawals without bank approval, card use, or customer credentials.
Security analysts warn that once installed, the malware can give criminals direct control of the machine. Because many ATMs operate on widely used operating systems, the attack can often be adapted across different manufacturers with minimal modification. In many cases, cash-out operations can be completed within minutes, allowing perpetrators to leave before alerts are triggered or the machine runs empty.
Investigators emphasize that physical access remains the most common entry point for these attacks. Criminals frequently use generic keys to open ATM cabinets and then deploy malware using one of two primary methods. In some incidents, the machine’s hard drive is removed, infected on a separate computer, and reinstalled. In others, the original drive is replaced entirely with a compromised device preloaded with malicious software. Because the malware operates independently of standard banking communications, it can dispense cash without interacting with customer accounts or triggering traditional fraud detection systems.
Officials have outlined several warning signs that may indicate a compromised ATM, including unexpected door alerts outside maintenance windows, sudden low-cash notifications, unauthorized devices connected to the machine, missing or tampered hard drives, and machines abruptly marked out of service. Financial institutions are being urged to review physical security protocols, enhance monitoring of service patterns, and report suspicious activity promptly as part of a broader effort to contain the growing ATM cyberattack threat.
