FBI Reports $20M ATM Jackpotting Losses in 2025: Ploutus Malware Trends
These articles are AI-generated summaries. Please check the original sources for full details.
FBI Reports 1,900 ATM Jackpotting Incidents Since 2020, $20M Lost in 2025
The U.S. Federal Bureau of Investigation (FBI) has issued a warning regarding 1,900 ATM jackpotting incidents reported since 2020. In 2025 alone, 700 of these attacks led to losses exceeding $20 million.
Why This Matters
ATM jackpotting highlights a critical failure where physical security and legacy software layers intersect. While modern banking protocols are robust, the exploitation of the eXtensions for Financial Services (XFS) layer allows malware to bypass digital authorization entirely. This technical reality demonstrates that if an adversary gains physical access to hardware, software-level bank card validations are rendered irrelevant, resulting in a total of $40.73 million lost since 2021.
Key Insights
- 700 ATM jackpotting incidents occurred in 2025, representing a significant portion of the 1,900 cases since 2020 per FBI data.
- Ploutus malware exploits the eXtensions for Financial Services (XFS) software layer to issue direct hardware commands.
- Attackers gain physical access to ATM internals using widely available generic keys to open the machine face.
- Malware deployment involves removing the ATM hard drive for infection or replacing it with a foreign preloaded drive.
- The FBI reports that Ploutus-driven cash-outs occur within minutes and are difficult to detect until after the theft is complete.
Practical Applications
- Financial institutions should implement device allowlisting to prevent the OS from recognizing unauthorized foreign hard drives or peripherals.
- Pitfall: Using standard manufacturer locks allows attackers easy access to internal components; organizations must replace these with unique security locks.
- Deploying threat sensors and security cameras provides real-time alerts that can trigger automatic shutdown modes during cabinet tampering.
- Pitfall: Failing to update default credentials allows malware to gain administrative control over the ATM’s underlying Windows operating system.
References:
Continue reading
Next article
Former Google Engineers Indicted for Exfiltrating Tensor Processor Trade Secrets to Iran
Related Content
DOJ Charges 54 in $40.73M ATM Jackpotting Scheme Using Ploutus Malware
The DOJ indicted 54 individuals linked to the Tren de Aragua gang for ATM jackpotting attacks using Ploutus malware, resulting in $40.73 million in U.S. losses since 2021.
ClickFix Campaign Abuses Compromised Sites to Deploy MIMICRAT Malware
ClickFix campaign exploits compromised sites to deliver MIMICRAT, a custom C++ RAT using multi-stage PowerShell and Lua-based shellcode loaders.
NGINX CVE-2026-42945 Exploited: High-Severity Buffer Overflow Hits Legacy and Modern Versions
CVE-2026-42945, a 9.2 CVSS heap buffer overflow in NGINX, is seeing active exploitation that enables worker process crashes and remote code execution.