The Federal Bureau of Investigation (FBI) has issued a sharp warning about a rising wave of ATM “jackpotting” incidents across the US, revealing that cybercriminals are increasingly using malware to force automated teller machines to dispense cash without any legitimate transaction.
What is ATM jackpotting?
ATM jackpotting is a type of cyber‑physical attack in which threat actors exploit vulnerabilities in both the physical security and software of ATMs. Once they gain access, attackers use specialised malware, often from the Ploutus family, to take direct control of the machine’s cash‑dispensing functions.
The malware targets the extensions for Financial Services (XFS) layer, a component of the ATM’s software stack that tells the machine’s hardware how to operate during a legitimate transaction. By issuing their own commands to XFS, attackers can bypass normal bank authorisation entirely and make the ATM spit out cash on demand, without a card or bank account involved.
According to the FBI, there have been approximately 1,900 reported jackpotting incidents in the US since 2020, with over 700 occurring in 2025 alone, resulting in more than $20 million in losses.
How do criminals get in?
Most jackpotting attacks begin with physical access to the ATM, typically by using generic keys to open the machine’s front panel. At that point, attackers may remove the internal hard drive, load malware onto it via their own computer, and then replace it before rebooting.
In some cases, they swap the original drive for a foreign one already infected with malicious software. Because many ATMs still run outdated versions of Windows, this kind of compromise can affect machines from many different manufacturers in similar ways.
Indicators and detection
The FBI’s alert lists both digital and physical signs “that may indicate a compromised ATM.” Physical indicators include unexpectedly open doors, unauthorised devices plugged into the machine, and missing hard drives.
Digital indicators involve unusual executable files, new directories, or scripts present in the ATM’s software. Banks and ATM operators are urged to monitor for these signs meticulously and report suspicious activity promptly.