A dangerous cybercrime involving ATMs is rapidly increasing in the United States. To combat this, the Federal Bureau of Investigation (FBI) has issued a special flash alert regarding ATM jackpotting malware and related technical information. This alert aims to alert banks, ATM operators, and other organisations.
According to the FBI, nearly 1,900 ATM jackpotting incidents have been reported since 2020. More than 700 of these incidents were recorded in 2025 alone, with total losses exceeding $20 million. These figures indicate that this crime is not only increasing but also becoming highly organised and rapid.
In ATM jackpotting, criminals exploit physical and software vulnerabilities in ATMs. This attack uses specific types of malware, such as those in the Plutus family. This malware targets the ATM’s Extensions for Financial Services (XFS) system.
Methods for Hacking an ATM
Normally, ATMs withdraw cash with bank authorisation via the Extension for Financial Services. Still, the Plutus malware allows criminals to issue commands directly to the Extension for Financial Services, bypassing bank authorisation.
This technique allows ATMs to dispense cash without a debit card, a customer account, or a valid transaction. Significantly, this attack is carried out directly against the ATM, not against customer accounts. Once the malware is installed, criminals gain complete control of the machine and can withdraw large amounts of cash within minutes.
How does the malware work?
The FBI reported that, in most cases, criminals unlock ATM front panels using readily available general-purpose keys. They then either remove the ATM’s hard drive and copy the malware to it, or insert an infected external hard drive and reboot the machine.
Some signs of an ATM hack have been found. These include the ATM being open beyond scheduled maintenance hours, a sudden cash outage, the installation of an unauthorised device, the removal of the hard drive, or the ATM suddenly going out of service.
