ATM jackpotting, also called a “cash-out” attack, is a sophisticated form of cyber-physical crime where threat actors exploit vulnerabilities in an ATM’s hardware and software to make it dispense all its cash on command. Unlike traditional skimming attacks that steal card data and PINs from individual customers, jackpotting focuses on the ATM itself, treating the machine as a programmable cash dispenser. The technique requires both physical break-in skills and malware knowledge, making it a particularly dangerous mix of burglary and cybercrime. What was once a niche threat has now become a nationwide crisis, with federal authorities warning that losses are accelerating at an alarming rate.

---

A Threat That Has Reached Critical Mass

The scale of ATM jackpotting in the United States has surged dramatically. On February 19, 2026, the FBI issued a security alert revealing that of about 1,900 jackpotting incidents reported since 2020, over 700 occurred in 2025 alone, resulting in losses over $20 million that year. These numbers likely underestimate the true extent, as the Department of Justice has noted that some attacks go unreported or are initially classified as routine theft.

The broader campaign is even more staggering. In December 2025, the DOJ announced the indictment of 54 individuals linked to an operation that resulted in over $40 million in losses through more than 1,500 confirmed ATM attacks across the United States since 2021. By January 2026, additional indictments brought the total number of charged individuals to 87, mostly Venezuelan and Colombian nationals connected to the transnational criminal organization Tren de Aragua (TdA).

The stolen funds were not simply pocketed. Federal prosecutors claim the proceeds were laundered through a network of associates and directed to TdA leadership to fund various criminal and terrorist acts, including human trafficking, child sex trafficking, kidnapping, and murder. TdA, now recognized by the U.S. State Department as a Foreign Terrorist Organization, has shown an ability to merge traditional organized crime tactics with sophisticated cyber tools.

---

The Mechanics of the Attack: How Ploutus Works

Origins and Evolution

The main malware behind this surge of attacks is the Ploutus family. First discovered in Mexico in 2013, Ploutus was initially a Spanish-language program installed via CD-ROM that enabled criminals to make ATMs dispense cash by entering specific key combinations. Over more than a decade of development, Ploutus has gone through at least five major revisions. Its most dangerous version, Ploutus-D, was first identified in 2016 and expanded the malware’s scope by targeting the KAL Kalignite Multivendor ATM Platform, a middleware system used by over 40 ATM vendors in 80 countries.

This evolution transformed Ploutus from a single-vendor exploit into a cross-manufacturer tool. While the current U.S. campaign has mainly targeted Diebold ATMs, security researchers warn that only minor code adjustments would be needed to adapt the malware to other vendors using Kalignite-based systems.

Exploiting the XFS Middleware Layer

ATM jackpotting primarily exploits eXtensions for Financial Services (XFS), an open-standard API that creates a uniform software interface between an ATM’s application layer and its physical peripherals—such as the cash dispenser, card reader, PIN pad, and receipt printer. XFS was developed to address an interoperability issue: it enables a bank’s application software to communicate with hardware from any manufacturer without needing vendor-specific code.

The XFS architecture functions on a client-server model. Applications send commands through the XFS Manager, which translates those high-level API calls into Service Provider Interface (SPI) calls that communicate directly with the hardware. This abstraction is precisely what makes it so valuable to malware developers. An attacker who gains access to the XFS layer can issue direct commands to the cash dispenser — including “dispense” instructions — without any interaction with the bank’s authorization systems.

Under normal operations, a cash withdrawal follows a carefully planned sequence: a customer inserts their card, enters their PIN, the ATM communicates with the bank’s host system for approval, and only after receiving authorization does it instruct the dispenser to release cash. Ploutus bypasses this entire process. The malware infiltrates the XFS middleware (using libraries like MSXFS.dll and Kalignite’s K3A.Platform.dll) and sends dispense commands directly to the hardware, skipping bank approval altogether. There is no valid transaction record on the bank’s backend — the cash simply disappears.

The Physical-Digital Attack Chain

All known Ploutus-D attacks require direct physical access to the ATM’s internal components. The attack follows a systematic sequence:

1. Reconnaissance: Organized groups travel in multiple vehicles to targeted banks and credit unions. They observe camera placements, alarm systems, and physical security features around ATMs.
2. Gaining Physical Access: Attackers open the ATM’s maintenance hatch using generic or master keys—many of which can be bought on the dark web or online marketplaces for as little as a few dollars. Sometimes, they use lockpicking tools, endoscopes, or even magnets. Attacks often happen during weekends or overnight when surveillance and staff are at their lowest.
3. Testing for Alarms: After opening the ATM, the attackers retreat to a nearby spot and observe whether an alarm or law enforcement response occurs. Only once it is safe do they continue.
4. Malware Installation: The infection occurs through one of several methods.
   • Hard drive replacement: The ATM’s original drive is taken out and swapped with a preloaded malicious operating system and Ploutus malware.
   • Hard drive modification: The drive is temporarily removed, connected to an external laptop where malware is copied onto it, then reinstalled.​
   • USB deployment: A thumb drive with the malware payload is plugged into an exposed USB port.
5. Activation and Cash-Out: An external keyboard (USB or PS/2) is connected to the ATM. The attacker enters a unique 8-digit activation code, which is valid for only 24 hours and generated based on a per-machine identifier and the current date. This code is usually provided by a “boss” who supervises the operation — a deliberate separation that prevents unauthorized use of the malware by rogue mules. Once activated, the attacker uses specific keyboard commands (such as pressing F3 to dispense cash) to initiate continuous dispensing cycles.
6. Evidence Destruction: Ploutus-D features aggressive anti-forensic functions. It deletes operational logs (such as NetOp.LOG), stops security monitoring processes every 5 seconds, and uses .NET Reactor obfuscation to prevent reverse engineering. The malware is made to disappear from audit trails.

The speed of these operations is striking. In a March 2025 incident in Omaha, Nebraska, attackers drained $79,200 from a single ATM within minutes. A credit union in Kearney, Nebraska, reportedly lost $300,000 in one night despite having CCTV monitoring in place.​

Technical details

Persistence Mechanisms

Ploutus-D achieves persistence through multiple mechanisms. It installs itself as a Windows service (commonly named “DIEBOLDP”) and modifies the Windows registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit, replacing the legitimate user initialization process with its own launcher. This ensures the malware survives system reboots and continues operating after power cycles. It also drops legitimate Kalignite files alongside the malware payload to satisfy software dependencies, reducing the chance of execution failure.

---

Indicators of Compromise (IOCs)

Detecting jackpotting attacks requires monitoring for both digital and physical anomalies. The FBI’s February 2026 advisory and broader threat intelligence provide the following indicators:

Digital Indicators

• Unrecognized Executables: The presence of suspicious files on the ATM’s system drive, including but not limited to: Newage.exe, NCRApp.exe, Levantaito.exe, Anydesk1.exe, AgilisConfigurationUtility.exe, and Diebold.exe.​
• Known Malicious Hashes (MD5):
  • 2C2D16658D8DA6B389934273EF8F8E22
  • 5F177B84F3D92AB5711BE446125FDBE3
  • C04A7CB926CCBF829D0A36A91EBF91BD
  • 5AF1F92832378772A7E3B07A0CAD4FC5​
• Registry Modifications: Unauthorized changes to HKLM\Software\Microsoft\Windows\CurrentVersion\Run or HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit.
• Unauthorized Services: New Windows services such as “DIEBOLDP” that are not part of the ATM’s standard configuration.
• Mutexes: The creation of mutexes named Ploutos, DIEBOLDPL, or KaligniteAPP in memory — critical markers for memory-based detection.
• Remote Access Tools: Unauthorized installations of remote access software such as TeamViewer or AnyDesk, which may indicate an attacker establishing a fallback command-and-control channel.
• Anti-Forensic Artifacts: Evidence of log file deletion, particularly the purging of NetOp.LOG files or unusual termination of security monitoring processes like NHOSTSVC.exe.​

Physical Indicators

• ATM Door Alerts: Door-open sensor activations that occur outside of scheduled maintenance windows.​
• Unauthorized Peripheral Events: System event logs recording the insertion of unknown USB keyboards, hubs, or flash drives — particularly Windows Event IDs 6416 (new external device recognized) and 2003 (USB driver loaded).​
• Anomalous Cash Levels: Rapid “low cash” or “cash out” alerts that do not correspond to expected customer transaction volumes.​
• Surveillance Anomalies: Individuals wearing masks and gloves, loitering near ATMs during off-hours, or making repeated trips to the same machine.

---

The Threat Actor: Tren de Aragua

The primary threat group behind the current U.S. jackpotting wave is Tren de Aragua (TdA), a Venezuelan-origin transnational criminal organization. Originally formed in a Venezuelan prison, TdA has expanded into a sophisticated multinational enterprise with operations across Latin America and now the United States.

TdA was designated a Foreign Terrorist Organization (FTO) by the U.S. government, and its jackpotting campaign represents a significant evolution in how terrorist-linked groups generate revenue. The organization’s operational model for jackpotting attacks demonstrates a clear division of labor: technical specialists develop and maintain the Ploutus malware; recruited “mules” (often Venezuelan and Colombian nationals) carry out the physical break-ins and cash collection; and a logistics network handles laundering proceeds — including through cryptocurrency wallets that federal prosecutors have since frozen.

As FBI Omaha Special Agent in Charge Eugene Kowel warned, ATM malware attacks “pose a direct threat to the U.S. financial system,” and the bureau has surged resources to adapt to these increasingly sophisticated criminal tactics. The investigation, coordinated through Joint Task Force Vulcan (originally created to fight MS-13 and later expanded to target TdA), involved the FBI, Homeland Security Investigations, and the Secret Service conducting arrests across 10 states.

---

Strategic Mitigations: A Multi-Layered Defense

Defending against ATM jackpotting demands a comprehensive approach that addresses physical access, software integrity, network security, and operational vigilance. No single control is sufficient; the strength lies in layered redundancy.

Physical and Hardware Hardening

• Lock Upgrades: Replace generic manufacturer locks with unique, high-security cylinders. Master keys for many common ATM models are easily purchased online, making factory-installed locks functionally useless. Tamper-evident seals should supplement lock upgrades.
• Trusted Platform Module (TPM): Implement firmware integrity checks using TPM 1.2 or higher to ensure the ATM only boots with signed, verified code. This prevents attackers from booting the machine with a foreign hard drive or modified operating system.​
• Full Disk Encryption (FDE): Encrypting the ATM’s hard drive ensures that even if the drive is physically removed, attackers cannot modify its contents offline or boot a replacement drive. The encrypted drive should be bonded to the specific ATM hardware so that it will not function in another system.
• USB Port Lockdown: Physically disable or block unused USB ports to prevent connection of external keyboards, thumb drives, or other malicious peripherals.
• Surveillance and Alarms: Deploy cameras in well-lit locations and install tamper-detecting alarm systems with randomized sensor placement to prevent attackers from predicting coverage gaps. Consider configuring power-disconnect options that disable the ATM automatically if the top-hat alarm is triggered.​

System Integrity and Whitelisting

• Gold Image Validation: Deploy every ATM from a cryptographically verified “gold image” — a known-good baseline configuration. Conduct regular audits that compare current file hashes against this baseline; any deviation should be treated as a critical compromise requiring immediate investigation.​
• Application Whitelisting: Use application control software to prevent any unauthorized .exe, .bat, or .dll files from executing on the ATM. This is one of the most effective defenses against Ploutus and similar malware families, since the malware relies on executing unauthorized binaries on the Windows operating system.
• BIOS-Level Whitelisting: Configure the BIOS to restrict boot devices to only the internal hard drive (no CD, DVD, or USB boot), and password-protect BIOS settings to prevent attackers from reconfiguring the boot order.
• Regular Patching: Keep ATM operating systems and all vendor middleware up to date. Many targeted ATMs still run Windows XP or Windows 7, which are no longer supported and have extensive known vulnerabilities. Before applying updates, verify that no malware is already present.

Enhanced Logging and Monitoring

Robust logging is essential for both real-time detection and post-incident forensics:

• Object Access Auditing: Use System Access Control Lists (SACLs) to monitor write operations to sensitive directories, particularly C:\Windows\, vendor middleware paths, and any directories where Ploutus is known to drop files (e.g., C:\Diebold\).​
• Process Creation Logging: Enable Windows Event ID 4688 with command-line auditing to capture when any executable or script is launched, enabling identification of malicious command execution.
• SIEM Ingestion: Ingest all ATM system logs into a Security Information and Event Management (SIEM) platform for centralized analysis, correlation, and alerting.​
• Anomalous Dispense Monitoring: Implement monitoring rules that flag large cash dispensing events that occur without a corresponding card-based transaction on the bank’s host system.​
• Automatic Shutdown Rules: Configure the ATM software to enter an “Out of Service” or shutdown state if a specific combination of IOCs is detected — for example, a door-open event followed by a USB device insertion within a defined time window.

Network and API Protection

• Network Segmentation: Isolate ATM networks from broader corporate networks to limit lateral movement if one system is compromised.
• TLS Encryption: Require TLS 1.2 or higher for all ATM-to-host communications to prevent man-in-the-middle attacks that could intercept or manipulate transaction data.​
• Endpoint Detection and Response (EDR): Deploy AI-based endpoint security tools specifically configured for ATM environments to detect and block malware execution in real time.

Operational Best Practices

• Access Audits: Regularly audit who has physical and logical access to ATMs, including third-party service providers. Third-party risk management should include verification of vendor credentials before granting access.
• Staff Training: Train personnel to recognize suspicious behavior around ATMs, including social engineering attempts and impersonation of maintenance technicians.​
• Information Sharing: Participate in threat intelligence sharing through organizations such as the ATM Industry Association (ATMIA) and the Financial Services Information Sharing and Analysis Center (FS-ISAC), which provide members with timely data on ATM-related criminal activity.​
• Penetration Testing: Conduct regular penetration testing and red team exercises specifically targeting ATM infrastructure to identify and remediate vulnerabilities before adversaries exploit them.​

---

Reporting and Response

In the event of a suspected jackpotting incident, financial institutions should immediately preserve all forensic evidence and report the incident to law enforcement. The FBI strongly encourages reporting through the following channels:

• FBI Internet Crime Complaint Center (IC3): https://www.ic3.gov
• Local FBI Field Office: https://www.fbi.gov/contact-us/field-offices

Reports should include:​

• Bank Details: Institution name, branch, and specific ATM location.
• ATM Specifications: Manufacturer, model number, software version, and vendor contact information.
• Forensic Data: All available system logs, timestamps, event logs, and descriptions of any suspicious equipment observed on or near the ATM (foreign hard drives, keyboards, USB devices).
• Surveillance Evidence: Any available video footage of the incident or suspicious individuals.

---