FBI Reports 1,900 ATM Jackpotting Incidents Since 2020, $20M Lost in 2025 Ravie LakshmananFeb 20, 2026 Financial Crime / Banking Security The U.S. Federal Bureau of Investigation (FBI) has warned of an increase in ATM jackpotting incidents across the country, leading to losses of more than $20 million in 2025. The agency said 1,900 ATM jackpotting incidents have been reported since 2020, out of which 700 took place last year. In December 2025, the U.S. Department of Justice (DoJ) said about $40.73 million has been collectively lost to jackpotting attacks since 2021. "Threat actors exploit physical and software vulnerabilities in ATMs and deploy malware to dispense cash without a legitimate transaction," the FBI said in a Thursday bulletin. The jackpotting attacks involve the use of specialized malware, such as Ploutus, to infect ATMs and force them to dispense cash. In most cases, cybercriminals have been observed gaining unauthorized access to the machines by opening an ATM face with widely available generic keys. There are at least two different ways by which the malware is deployed: Removing the ATM's hard drive, followed by either connecting it to their computer, copying it to the hard drive, attaching it back to the ATM, and rebooting the ATM, or replacing it entirely with a foreign hard drive preloaded with the malware and rebooting it. Regardless of the method used, the end result is the same. The malware is designed to interact directly with the ATM hardware, thereby getting around any security controls present in the original ATM software. Because the malware does not require a connection to an actual bank card or customer account to dispense cash, it can be used against ATMs of different manufacturers with little to no code changes, as the underlying Windows operating system is exploited during the attack. Ploutus was first observed in Mexico in 2013. Once installed, it grants threat actors complete control over an ATM, enabling them to trigger cash-outs that the FBI said can occur in minutes and are harder to detect until after the money is withdrawn. "Ploutus malware exploits the eXtensions for Financial Services (XFS), the layer of software that instructs an ATM what to physically do," the FBI explained. "When a legitimate transaction occurs, the ATM application sends instructions through XFS for bank authorization. If a threat actor can issue their own commands to XFS, they can bypass bank authorization entirely and instruct the ATM to dispense cash on demand." The agency has outlined a long list of recommendations that organizations can adopt to mitigate jackpotting risks. This includes tightening physical security by installing threat sensors, setting up security cameras, and changing standard locks on ATM devices. Other measures involve auditing ATM devices, changing default credentials, configuring an automatic shutdown mode once indicators of compromise are detected, enforcing device allowlisting to prevent connection of unauthorized devices, and maintaining logs. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE      Tweet  Share  Share  Share Trending News Study Uncovers 25 Password Recovery Attacks in Major Cloud Password Managers SSHStalker Botnet Uses IRC C2 to Control Linux Systems via Legacy Kernel Exploits First Malicious Outlook Add-In Found Stealing 4,000+ Microsoft Credentials Weekly Recap: Outlook Add-Ins Hijack, 0-Day Patches, Wormable Botnet and AI Malware Malicious Chrome Extensions Caught Stealing Business Data, Emails, and Browsing History ThreatsDay Bulletin: AI Prompt RCE, Claude 0-Click, RenEngine Loader, Auto 0-Days and 25+ Stories New Chrome Zero-Day (CVE-2026-2441) Under Active Attack — Patch Released Microsoft Discloses DNS-Based ClickFix Attack Using Nslookup for Malware Staging LOAD MORE ▼ Popular Resources Secure Your APIs with Modern Identity — Try Curity Identity Server Free Guide to Uncover Hidden Apps, Accounts, and Authentication Blind Spots Advance Hands-On Cyber Defense Skills at SANS DC Metro Training Explore How Unified Security Platforms Protect Your Entire Stack