New Delhi: The US Federal Bureau of Investigation has reported a sharp rise in ATM jackpotting cases this year. In a recent alert, the agency said that more than 700 such attacks were recorded in 2025. Officials estimate that at least $20 million was stolen through these operations.
The warning highlights how criminals are now mixing physical break-ins with malware to empty cash machines. Instead of targeting bank customers, these groups are going directly after the ATM itself, forcing it to release cash within minutes.
How ATM jackpotting works
ATM jackpotting is a method where attackers make a cash machine spit out money on demand. The stolen cash does not come from any customer’s bank account. Instead of touching customer accounts, the attackers go straight for the machine. They force the ATM to hand over cash by taking control of its internal system.
Investigators say the process often starts with physical access. First criminals use copied or stolen keys to unlock the ATM cabinet and then they connect to internal components like the system drive or service ports. From there, they load malicious software onto the machine.
The FBI has identified one commonly used malware strain called Ploutus. It is designed to infect ATMs that run on Windows and allows attackers to control the cash dispenser remotely.
Misusing the ATM’s own software
Ploutus takes advantage of XFS, or Extensions for Financial Services. XFS is a standard that helps the ATM’s software talk to hardware parts like the card reader, PIN pad and cash dispenser.
By interfering with XFS, attackers can send fake instructions to the machine. The ATM believes it has received a valid command and releases money, even though no real transaction has taken place.
“Ploutus attacks the ATM itself rather than customer accounts, enabling fast cash-out operations that can occur in minutes and are often difficult to detect until after the money is withdrawn,” the FBI said in its bulletin.
Security experts have earlier pointed out weaknesses in some XFS setups, especially in older or poorly protected machines. What started as a technical demonstration at a security conference has now become a well-organised criminal method.
Comments are closed.