Jackpotting America: How Ploutus Malware Is Turning ATMs Into Criminal Cash Machines
Subtitle: The FBI sounds the alarm as hackers drain millions from U.S. ATMs using advanced malware that bypasses banks, cards, and even accounts.
It’s a heist straight out of a cyber-thriller: masked figures approach an ATM, plug in a device, and minutes later, the machine spews out cash-no cards, no accounts, no alarms. This isn’t fiction. A surge of “jackpotting” attacks powered by the notorious Ploutus malware has prompted the FBI to issue an unprecedented emergency alert to banks nationwide, warning of a wave of ATM thefts that bypass every traditional security measure.
Fast Facts
- Ploutus malware allows criminals to empty ATMs without needing bank cards or customer accounts.
- Since 2020, nearly 1,900 jackpotting incidents have been tracked in the U.S.; over $20 million stolen in 2025 alone.
- Attackers exploit the ATM’s XFS software layer and Windows systems to hijack cash dispensers directly.
- Physical access is key: generic keys, USB devices, and remote tools like AnyDesk are used to install malware.
- The FBI urges immediate action to strengthen both physical and digital ATM security.
Inside the Ploutus Playbook: Anatomy of a Modern ATM Heist
The recent wave of attacks has exposed a chilling vulnerability at the heart of the U.S. banking infrastructure. Ploutus, a sophisticated strain of malware first seen in Latin America, has evolved to exploit the eXtensions for Financial Services (XFS) layer-the software bridge between an ATM’s computer and its cash-dispensing hardware. Instead of relying on legitimate banking applications, Ploutus issues its own commands, instructing the ATM to release money on demand, completely sidestepping the bank’s authorization process.
The attackers’ playbook is alarmingly simple but effective. Gaining physical access is often the hardest part, but many ATMs still use standard locks and keys easily purchased online. Once inside, criminals remove the hard drive, install Ploutus-sometimes by swapping in a new drive preloaded with malware-or use USB sticks and external keyboards to stage their attack. In some cases, remote-access tools like AnyDesk or TeamViewer are leveraged to control the ATM from afar.
The malware transforms the ATM into a rogue cash dispenser under criminal control, executing rapid cash-outs in minutes. By targeting the machine itself, rather than customer accounts, these attacks go undetected until large sums vanish. The FBI notes that Ploutus is highly adaptable, requiring minimal modification to infect different ATM models that run on Windows systems.
Digital traces left behind include suspicious files like “Newage.exe,” “LevantaIto.exe,” and “Anydesk1.exe,” as well as altered system logs. The FBI has published lists of known malware signatures and urges banks to compare their ATMs’ software against verified, cryptographically signed baselines.
Can Banks Keep Up?
With over 700 attacks and tens of millions lost in 2025 alone, the FBI’s emergency FLASH alert calls for urgent action. Recommendations include replacing default locks, installing additional barriers and sensors, encrypting hard drives, and monitoring for unauthorized devices or software. Banks are also encouraged to enable automatic ATM shutdowns when suspicious activity is detected.
Reflection
As cybercriminals turn ATMs against the very banks they serve, America’s financial institutions face a sobering reality: the war for physical cash is now being fought in the digital shadows. Only a combination of vigilance, technology, and old-fashioned security can keep the next jackpotting crew at bay.
WIKICROOK
- Jackpotting: Jackpotting is a cyberattack where hackers use malware or hardware to force ATMs to dispense all their cash, bypassing security controls.
- Ploutus: Ploutus is advanced ATM malware that enables attackers to dispense cash and erase evidence, posing a major threat to financial institutions.
- XFS (eXtensions for Financial Services): XFS is a software framework that standardizes communication between ATMs and banking systems, enabling secure and efficient device integration for banks.
- Remote: Remote in cybersecurity means controlling or accessing devices from afar, often via the internet, using special software. It requires strong security controls.
- Gold image: A gold image is a secure, verified master copy of software and configurations, used to deploy consistent, tamper-evident systems and detect unauthorized changes.




