FBI Warns of Surge in Malware-Driven ATM “Jackpotting” Attacks, Losses Top $20 Million Nationwide

CyberDefender 6 mins0

Earlier this year, the U.S. Federal Bureau of Investigation (FBI) issued a FLASH advisory highlighting a sharp rise in malware-enabled ATM jackpotting attacks — frauds where threat actors force ATMs to dispense cash without legitimate transactions. Over 1,900 such incidents have been reported since 2020, and more than 700 occurred in 2025 alone, producing over $20 million in losses. This trend underscores growing exploitation of ATM infrastructure and necessitates better technical defenses.

What Is ATM Jackpotting Malware?

ATM jackpotting refers to malware that gives attackers direct control over an ATM’s cash dispensing mechanism. Instead of targeting customer accounts, this malware operates at the software/hardware level of the ATM, bypassing standard transaction flows.

The FBI specifically notes the Ploutus malware family, which leverages vulnerabilities in the eXtensions for Financial Services (XFS) layer — the critical interface between ATM applications and physical operations. By issuing crafted commands to XFS, threat actors can bypass bank authorization and trigger cash payouts at will.

Here’s how this typically works:

  1. Physical access — attackers open the ATM fascia using generic keys.
  2. Malware injection — they install malware via hard drive manipulation, either copying payloads to the original drive or substituting drives preloaded with malware.
  3. Execution & control — the malware interacts directly with ATM hardware, completely circumventing normal transaction logic.

Key Technical Indicators of Compromise (IOCs)

From a defender’s perspective, identifying jackpotting involves correlating unusual software artifacts with physical intrusion events.

Digital IOCs (Windows-based ATMs)

Check for unexpected executables — especially with unfamiliar names or unknown hashes. Examples include:

  • Newage.exe, Color.exe, Levantaito.exe, NCRApp.exe
  • Remote tools like Anydesk1.exe
  • Script files (Restaurar.bat, Logcontrol.txt)

Known MD5 hashes tied to jackpotting malware samples are cited in the advisory — useful for local signature matching in forensic analysis.

Persistence & Unauthorized Services

Persistent malware may:

  • Modify registry autoruns under HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  • Create custom Windows services with generic or deceptive names (e.g., ATM Service)

Physical/System Events to Monitor

Detecting physical intrusion and staging is critical:

  • USB insertion logs (Event IDs 2003, 6416)
  • Unauthorized USB keyboards, hubs, or storage devices
  • ATM doors opened outside maintenance windows
  • Unexpectedly low/no cash states on machines

Linking these physical and digital IOCs gives the best chance of spotting jackpotting attempts early.

Best Technical Controls & Mitigations

Protecting ATM environments requires layered defenses — combining physical security with system hardening and audit practices:

1. Strengthen Physical Security

  • Replace standard ATM maintenance keys with stronger locks and alarmed hatches
  • Deploy vibration or motion sensors inside ATM vestibules
  • Ensure comprehensive video surveillance with retained footage

2. Apply Robust System Integrity Controls

  • Use gold-image integrity validation for ATM system builds
  • Enable firmware integrity checks via TPM with digitally signed firmware
  • Enforce disk encryption to prevent unauthorized offline modification

3. Improve Logging & Detection

  • Enable detailed removable storage and object access auditing
  • Correlate system logs with physical access events for suspicious patterns
  • Use secure logging to a central SIEM for real-time threat detection

4. Network & Endpoint Hardening

  • Whitelist trusted devices and IP addresses
  • Deploy antimalware and EDR tools configured to monitor ATM processes
  • Enforce software whitelisting to prevent execution of unknown binaries

Recommended Incident Response Strategy

When an ATM compromise is suspected:

  1. Validate system integrity against your baseline (“gold image”).
  2. Extract forensic images of system and removable drives.
  3. Check hashes and executable artifacts against known indicators.
  4. Correlate log events with physical access records and camera footage.
  5. Report findings to appropriate law enforcement agencies as outlined in the FBI advisory.

Final Notes

ATM jackpotting represents a unique blend of physical and digital attack vectors; as such, defenses must integrate:

  • Asset hardening
  • Audit and detection systems
  • Physical access control
  • Incident response maturity

For infrastructure owners and cyber teams, aligning detection capabilities to these IOCs and strengthening physical safeguards is crucial to reducing risk exposure.

CyberDefender