Jackpotting Frenzy: Inside the $20 Million ATM Malware Crime Wave Sweeping America

It’s a modern-day bank heist - no ski masks, no getaway cars, just a few keystrokes and a flash of malware. In 2025 alone, a staggering 700 ATM jackpotting attacks have bled over $20 million from banks across the United States, according to a recent FBI alert. Behind the scenes, cybercriminals - often working in tightly coordinated crews - are leveraging advanced malware to turn cash machines into their personal slot machines, all while staying steps ahead of both law enforcement and bank security teams.

The Anatomy of a Jackpotting Attack

ATM jackpotting isn’t a new phenomenon, but its resurgence in the US has alarmed authorities. The basic technique involves criminals physically breaching an ATM - sometimes by picking locks or using default keys - and installing malware such as Ploutus. Once inside, the malware hijacks the machine’s cash dispenser, spitting out tens of thousands of dollars in minutes. The attacks don’t target customer accounts directly, but rather exploit the ATM’s internal software, usually running outdated or unpatched versions of Windows.

The FBI’s latest alert underlines the adaptability of these attacks. Ploutus, a malware strain dating back more than a decade, remains the weapon of choice. Its code is versatile enough to compromise ATMs from different manufacturers with minimal modification, and it leverages the Windows operating system’s vulnerabilities to gain control. Once deployed, the malware can be operated remotely or via direct commands, making it possible for “mule” operators to empty machines on behalf of global syndicates.

Law enforcement has responded with a crackdown, leading to dozens of arrests - many involving Venezuelan nationals allegedly recruited for on-the-ground operations. Still, the battle is far from over. The malware is designed to cover its tracks, deleting itself after the heist and leaving investigators with little forensic evidence. The FBI has published new indicators of compromise (IoCs) and mitigation strategies, but with the attackers’ tactics evolving, banks are in a constant race to secure their machines.

What’s Next for ATM Security?

The surge in jackpotting attacks raises urgent questions about the resilience of US financial infrastructure. As cybercriminals grow bolder and more technologically adept, the need for rapid, coordinated defenses has never been greater. For now, the game of cat-and-mouse continues - one where millions of dollars and the trust of everyday bank customers are at stake.

WIKICROOK

• ATM Jackpotting: ATM jackpotting is a cyberattack where criminals force ATMs to dispense cash illegally by exploiting software or hardware vulnerabilities.
• Ploutus: Ploutus is advanced ATM malware that enables attackers to dispense cash and erase evidence, posing a major threat to financial institutions.
• Indicators of Compromise (IoCs): Indicators of Compromise (IoCs) are clues like filenames, IPs, or code fragments that help detect if a computer system has been breached.
• Mule Operator: A mule operator is someone used by cybercriminals to move or withdraw stolen funds, often unknowingly aiding illegal cyber activities.
• Windows Operating System: Windows OS, developed by Microsoft, is a popular platform for PCs and ATMs, making it a frequent target for malware and cyberattacks.