Full Report
FBI warns these cyber-physical attacks are on the rise Thieves stole more than $20 million from compromised ATMs last year using a malware-assisted technique that the FBI says is on the uptick across the United States.…
Analysis Summary
# Incident Report: Surge in Malware-Assisted ATM Jackpotting
## Executive Summary
In 2025, a significant spike in "ATM Jackpotting" attacks resulted in the theft of over $20 million from financial institutions across the United States. Attackers utilize physical access to ATM internals to deploy specialized malware (notably Ploutus) that forces the machines to dispense cash without bank authorization. While individual customer accounts are not compromised, the trend represents a growing "cyber-physical" threat that has seen a 58% year-over-year increase in reported incidents.
## Incident Details
- **Discovery Date:** FBI Public Service Announcement issued February 19, 2026.
- **Incident Date:** Ongoing; Significant volume spike throughout 2025.
- **Affected Organization:** Multiple undisclosed Financial Institutions.
- **Sector:** Banking / Financial Services.
- **Geography:** United States (Nationwide).
## Timeline of Events
### Initial Access
- **Date/Time:** 2020–2025 (Increasing intensity in 2025).
- **Vector:** Physical Breach (Hardware manipulation).
- **Details:** Attackers use generic keys or physical picking to open the ATM faceplate/chassis to reach the internal computer components.
### Lateral Movement
- **Details:** This attack is generally "contained" to the specific ATM terminal. Once physical access is gained, attackers move from the hardware layer to the software layer by interacting directly with the ATM’s hard drive.
### Data Exfiltration/Impact
- **Details:** Physical "exfiltration" of currency. Attackers issue commands via malware to the eXtensions for Financial Services (XFS) API to empty the cash cassettes.
### Detection & Response
- **Details:** Often detected post-incident via physical inspection or reconciliation of cash levels. The FBI and IC3 issued a formal alert on Feb 19, 2026, providing IoCs and physical signs to help banks identify compromised machines.
## Attack Methodology
- **Initial Access:** Physical access to the ATM interior via generic keys or forced entry.
- **Persistence:** Malicious executables remain on the ATM’s hard drive; in some cases, the entire hard drive is replaced with a pre-imaged malicious drive.
- **Privilege Escalation:** Not applicable in a traditional network sense; the malware assumes direct control over the XFS (eXtensions for Financial Services) middleware.
- **Defense Evasion:** Malware operates locally on the ATM, bypassing the need for network-based bank authorization.
- **Credential Access:** Not required; the malware bypasses the authorization logic.
- **Discovery:** Physical reconnaissance of ATM models and lock types.
- **Lateral Movement:** Limited; focuses on the interface between the ATM's OS (Windows) and the cash-dispensing hardware.
- **Collection:** Identifying the volume of cash available in the cassettes through XFS queries.
- **Exfiltration:** Physical removal of cash dispensed by the machine.
- **Impact:** Financial loss via unauthorized "jackpotting."
## Impact Assessment
- **Financial:** Exceeded $20 million in losses in 2025 alone.
- **Data Breach:** None (Customer data/PINs are not the target of this specific technique).
- **Operational:** ATM downtime for repairs, hard drive replacement, and forensic investigation.
- **Reputational:** Public concern regarding the physical security of banking infrastructure.
## Indicators of Compromise
- **Network indicators:** None specified (Attacks are primarily local/offline).
- **File indicators:**
- Presence of *Ploutus* malware families.
- Unauthorized executables, scripts, and associated configuration files on the Windows OS drive.
- **Behavioral indicators:**
- Event IDs associated with the insertion of unauthorized USB storage devices.
- ATMs reporting "No Cash" or "Out of Service" without a corresponding transaction log.
- Evidence of physical tampering with the ATM faceplate or lock.
## Response Actions
- **Containment:** Taking suspected ATMs offline and securing them physically.
- **Eradication:** Imaging or replacing compromised hard drives; updating physical locks to high-security or unique keys.
- **Recovery:** Restoring ATM services with hardened software configurations and improved physical monitoring.
## Lessons Learned
- **Key Takeaways:** Reliance on "generic" keys for ATM chassis creates a significant physical security gap. The standardization of the XFS API, while beneficial for interoperability, provides a single point of failure for jackpotting malware.
- **Gaps:** Delayed detection remains a primary issue, as the "authorization" happens locally on the machine rather than through the bank's core network.
## Recommendations
- **Physical Security:** Upgrade ATM locks to unique, high-security versions and install tilt/vibration/intrusion sensors that trigger alarms.
- **Hardening:** Implement Full Disk Encryption (FDE) and Trusted Platform Module (TPM) checks to prevent unauthorized hard drive tampering or replacement.
- **Access Control:** Disable unused USB ports and implement robust application whitelisting (e.g., AppLocker) to prevent the execution of unauthorized binaries.
- **Monitoring:** Set up real-time alerts for XFS API calls that bypass standard transaction workflows.