Thieves stole more than $20 million from compromised ATMs last year using a malware-assisted technique that the FBI says is on the uptick across the United States.

They are doing this through ATM jackpotting - a cyber-physical attack in which crooks exploit physical and software vulnerabilities in ATMs to deploy malware that instructs the machine to dispense cash on demand without bank authorization. Of the 1,900 such incidents reported since 2020, more than 700 occurred in 2025 alone, according to a Thursday [1]security alert [PDF].

Crims typically gain initial access via generic keys that open the ATM face, and then infect the machine with malware, either removing the ATM's hard drive and copying malware onto it before putting it back into the machine, or simply replacing the hard drive with one that's preloaded with ATM jackpotting code.

[2]

Ploutus malware, which is commonly used in these attacks, exploits eXtensions for Financial Services (XFS), an open-standard API that ATMs, POS terminals, and similar devices that run banking applications use. It allows the banking software to work across different vendors' hardware and instruct the ATM what to do - for example, send this transaction to the bank for authorization, and then dispense cash to the customer.

[3]

The malware, however, allows the attackers to issue their own commands to XFS, bypass bank authorization, and instruct the ATM to dispense cash on demand.

[4]ATM flashes a port or two for the enterprising hacker

[5]ATM takes a kicking yet keeps on ticking

[6]Manchester ATM ups PIN requirement to full Windows login

[7]ATM maintenance tech broke the bank by forgetting to return a key

While these attacks don't hurt banking customers - unlike skimming, which steals people's card data and PINs - ATM jackpotting does cost financial institutions tens of millions of dollars in losses. Plus, these incidents are difficult to detect until after the cash is withdrawn.

In its Thursday alert, the FBI lists several digital indicators of compromise on ATMs running Windows OS, so give those a read as they include multiple executables along with associated files and scripts. There are also several physical indicators, such as event IDs that may appear when USB storage devices are inserted into a compromised ATM, and things like no cash indicators, unauthorized devices plugged into the ATM, or removed hard drives.

As always, if you see suspicious activity or any indication of ATM jackpotting, report it to your local FBI field office at www.fbi.gov/contact-us/field-offices or the FBI Internet Crime Complaint Center at [8]www.ic3.gov . ®

Get our [9]Tech Resources



[1] https://www.ic3.gov/CSA/2026/260219.pdf

[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aZeWDBDWmm5mFOdf0fxGuQAAA5A&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aZeWDBDWmm5mFOdf0fxGuQAAA5A&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[4] https://www.theregister.com/2026/01/28/atm_flashes_a_port_bork/

[5] https://www.theregister.com/2026/01/21/atm_bork/

[6] https://www.theregister.com/2026/01/20/manchester_atm_bork/

[7] https://www.theregister.com/2026/01/19/who_me/

[8] http://www.ic3.gov

[9] https://whitepapers.theregister.com/