信息安全杂志 infosecurity-magazine

Jackpotting Surge Costs Banks Over $20m, Warns FBI – Infosecurity Magazine

Nearly two-fifths of ATM jackpotting attacks recorded in the US since 2020 occurred last year, the FBI has warned.

A new FBI Flash alert claimed that the 700+ attacks seen in 2025 resulted in losses of over $20m.

Typically, threat actors deploy malware such as the Ploutus variant to exploit the eXtensions for Financial Services (XFS) API and give them control over the ATM, the FBI explained.

“When a legitimate transaction occurs, the ATM application sends instructions through XFS for bank authorization. If a threat actor can issue their own commands to XFS, they can bypass bank authorization entirely and instruct the ATM to dispense cash on demand,” it said.

“Ploutus attacks the ATM itself rather than customer accounts, enabling fast cash-out operations that can occur in minutes and are often difficult to detect until after the money is withdrawn.”

Read more on jackpotting: US Charges 54 in Massive ATM Jackpotting Conspiracy

After opening up the front of an ATM with “generic keys,” threat actors either remove the hard drive and install their malware, before returning and rebooting it, or else they replace it completely with a third-party device pre-loaded with malware, the alert noted.

“The malware interacts directly with the ATM hardware, bypassing any communications or security of the original ATM software. The malware does not require connection to an actual bank customer account to dispense cash,” it continued.

“The malware can be used across ATMs of different manufacturers with very little adjustment to the code as the Windows operating system is exploited during the compromise.”

From Physical Security to Threat Intelligence

The FBI recommended a range of mitigations designed to help ATM owners to identify physical intrusions and malware staging early on. They include:

  • Physical security such as device sensors, more secure locks, and security cameras
  • Hardware security including device whitelisting, auto-shutdowns, firmware checks, hard drive encryption and more
  • Logging (including of the device state), with central storage and lengthy data retention
  • Auditing of ATM devices, credentials, updates and security implementations
  • IP whitelisting
  • Endpoint detection and response – including anti-malware and software whitelisting
  • Threat intelligence to be shared between industry groups
  • Updated security awareness training for staff to cover jackpotting

Dray Agha, senior manager of security operations at Huntress, said the FBI report should be a wake-up call for financial institutions.

“These attacks can be over in minutes and often go unnoticed until the cash is gone because the malware doesn't trigger the usual bank-side transaction checks,” he added. “Proactive monitoring for unauthorized physical access to the machine's interior, combined with stronger logical access controls for software updates, is critical to stopping these phantom withdrawals.”