Full Report
The Justice Department has said that between February 2024 and December 2025, the gang stole at least $5.4 million from at least 63 ATMs, most of which belonged to credit unions.
Analysis Summary
# Threat Actor: Ploutus ATM Jackpotting Conspiracy Participants
## Attribution & Identity
The group is identified as a conspiracy involving individuals, some of whom are alleged to be members of the Venezuelan transnational organized crime group **Tren de Aragua (TdA)**. The activity centers around the deployment of the specific malware family, Ploutus.
## Activity Summary
The conspiracy was active between **February 2024 and December 2025**, during which time they stole at least **$5.4 million** from at least **63 ATMs**. This activity is part of a wider, long-running "ATM jackpotting" scheme involving the Ploutus malware, with prior activity detected as early as 2013.
## Tactics, Techniques & Procedures
- **Physical Surveillance:** Gang members conducted surveillance on potential target ATMs.
- **Physical Access/Tampering:** Members opened ATM doors to check for immediate security responses (e.g., alarms).
- **Malware Deployment (Jackpotting):**
- Replacing the ATM's hard drive with one pre-installed with **Ploutus malware**.
- Connecting **thumb drives** that unleashed the malware.
- **Evasion:** The deployment process included checking if law enforcement responded when the machines were physically opened.
- **Malware Capability:** Ploutus malware orders the ATMs to dispense cash by overcoming their internal security systems.
- **Vulnerability Exploitation:** The malware targets specific ATM platforms, including **Diebold Nixdorf** and the **Kalignite Platform**.
## Targeting
- **Sectors:** Financial Services, specifically targeting Automated Teller Machines (ATMs).
- **Geography:** While not explicitly named for this specific wave, prior known activity occurred in Mexico (2013). The context suggests targets were likely within the jurisdiction where the charges were brought (implied US/International scope based on DoJ action).
- **Victims:** At least **63 ATMs**, most of which belonged to **credit unions**.
## Tools & Infrastructure
- **Malware Families Used:** **Ploutus** (described as "one of the most advanced ATM malware families").
- **Infrastructure (C2, domains, IPs):** Not detailed in the summary provided beyond the use of malware and physical access methods (hard drives, thumb drives).
## Implications
This activity highlights the convergence of transnational organized crime (TdA) with sophisticated cyber capabilities (Ploutus). The sustained nature of the Ploutus threat (active for nearly a decade) indicates its effectiveness and the need for constant updates to physical and logical security controls for ATM hardware and software. The physical aspect of the attack requires insider knowledge or collusion/coercion regarding surveillance and initial access.
## Mitigations
- **Physical Security Hardening:** Enhance physical security around ATM cassettes and internal components to prevent the unauthorized replacement of hard drives or insertion of malicious storage devices (thumb drives).
- **Integrity Monitoring:** Implement robust application whitelisting and system hard-disk integrity checks to detect unauthorized operating system or firmware modifications upon boot or startup.
- **Vendor Patch Management:** Ensure all ATMs, particularly those running Diebold Nixdorf or Kalignite Platform systems, are patched against known vulnerabilities that Ploutus might exploit post-infection.
- **Alert Response:** Review standard operating procedures for physical security alerts triggered by the opening or tampering of ATM casings.