Full Report
The U.S. Federal Bureau of Investigation (FBI) has warned of an increase in ATM jackpotting incidents across the country, leading to losses of more than $20 million in 2025. The agency said 1,900 ATM jackpotting incidents have been reported since 2020, out of which 700 took place last year. In December 2025, the U.S. Department of Justice (DoJ) said about $40.73 million has been collectively
Analysis Summary
# Incident Report: Surge in ATM Jackpotting Attacks (2020-2025)
## Executive Summary
The FBI has issued a warning regarding a significant rise in ATM "jackpotting" attacks, where threat actors use physical access and specialized malware to force ATMs to dispense cash. Since 2020, over 1,900 incidents have been reported, resulting in approximately $40.73 million in cumulative losses. 2025 saw a sharp escalation with 700 reported incidents and over $20 million in losses in that year alone.
## Incident Details
- **Discovery Date:** Recurring alerts; latest FBI bulletin issued February 19, 2026.
- **Incident Date:** Ongoing (2020 – Present); Peak activity recorded in 2025.
- **Affected Organization:** Multiple financial institutions and ATM operators.
- **Sector:** Banking / Financial Services.
- **Geography:** United States (Nationwide).
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing; incidents typically take place in a matter of minutes.
- **Vector:** Physical Breach.
- **Details:** Attackers use generic "master" keys to open the ATM's outer casing or "face" to gain access to the internal hardware components.
### Lateral Movement
- **Details:** Not traditional network lateral movement; rather, attackers move from physical access to the internal hard drive. They either remove the drive to inject malware via an external laptop or replace the legitimate hard drive with a pre-imaged rogue drive.
### Data Exfiltration/Impact
- **Details:** Physical theft of currency. The malware bypasses bank authorization, instructing the dispenser to empty the cash cassettes.
### Detection & Response
- **How it was discovered:** Discrepancies in cash balances and post-incident forensic audits of ATM hardware.
- **Response actions taken:** FBI and DoJ investigations; 54 individuals charged in December 2025; issuance of national security bulletins to the financial sector.
## Attack Methodology
- **Initial Access:** Physical manipulation with generic keys.
- **Persistence:** Installation of **Ploutus** malware (or variants) onto the ATM hard drive.
- **Privilege Escalation:** Exploiting the eXtensions for Financial Services (XFS) software layer to gain hardware-level control.
- **Defense Evasion:** Bypassing standard ATM software security controls and operating independently of the bank's transaction authorization network.
- **Credential Access:** Bypassing the need for legitimate user credentials or bank cards.
- **Discovery:** Identifying ATM hardware vulnerabilities and manufacturer types.
- **Lateral Movement:** Physical-to-Digital transition (USB/SATA interface access).
- **Collection:** Interfacing with the XFS layer to control the cash dispenser.
- **Exfiltration:** Physical removal of cash (the "Jackpot").
- **Impact:** Direct financial loss and physical damage to ATM hardware.
## Impact Assessment
- **Financial:** Over $20 million lost in 2025; total $40.73 million since 2021.
- **Data Breach:** Limited; focus is on currency theft rather than PII, though system logs/configurations are compromised.
- **Operational:** Disruption of ATM services and the need for significant physical hardware repairs/replacements.
- **Reputational:** Decreased public confidence in ATM safety.
## Indicators of Compromise
- **Network indicators:** Uncommon external connections (if the ATM is modified for remote triggering).
- **File indicators:** Presence of **Ploutus** malware or unauthorized XFS-related binaries.
- **Behavioral indicators:** Rebooting of ATMs outside of maintenance windows; ATM cabinet door alarms; "Out of Service" or "Cash Out" states without corresponding transaction logs.
## Response Actions
- **Containment:** Physical lockdown of affected machines and disabling of compromised units.
- **Eradication:** Wiping and re-imaging ATM hard drives; replacing physical locks.
- **Recovery:** Restoring ATM services with hardened security configurations and upgraded physical protections.
## Lessons Learned
- **Key Takeaways:** Physical security is the first line of defense; if the attacker has physical access, software protections can be bypassed via hardware-level exploits (XFS).
- **What could have been done better:** Better key management; many machines still use generic, manufacturer-provided default keys.
## Recommendations
- **Physical Security:** Replace standard locks with high-security, unique locks; install vibration or tilt sensors and enhanced CCTV.
- **Hardening:** Implement Full Disk Encryption (FDE) to prevent offline tampering with the hard drive.
- **Access Control:** Enable "Device Allowlisting" to prevent unauthorized USB or hardware peripherals from connecting to the ATM computer.
- **Monitoring:** Configure ATMs to shut down automatically if the cabinet is opened without a technician's authorization code.
- **Log Management:** Centralize and monitor ATM logs for unauthorized reboots or XFS command anomalies.