Cash Out: FBI Warns of $20M ATM ‘Jackpotting’ Surge Driven by Ploutus Malware

The Federal Bureau of Investigation (FBI) has issued an urgent FLASH report warning financial institutions of a dramatic surge in “jackpotting”—a highly coordinated cyber-physical attack where hackers use malware to empty ATMs of their cash reserves.

Jackpotting attacks require a blend of physical tampering and sophisticated software manipulation. According to the FBI’s actionable cyber intelligence bulletin released in February 2026, “Threat actors exploit physical and software vulnerabilities in ATMs and deploy malware to dispense cash without a legitimate transaction”.

The most alarming aspect of the report is the exponential growth of these attacks over the last year. The FBI notes that “Out of 1,900 ATM jackpotting incidents reported since 2020, over 700 of them with more than $20 million in losses occurred in 2025 alone”. This sharp escalation signals that cybercriminal syndicates have refined their methodologies and are scaling their operations across the United States.

To pull off a jackpotting attack, criminals must hijack the machine’s central nervous system. The FBI report specifically highlights the notorious Ploutus malware as a primary tool of choice.

“Threat actors are deploying ATM jackpotting malware, including the Ploutus family malware, to infect ATMs and force them to dispense cash,” the advisory states.

The brilliance—and danger—of Ploutus lies in its target: the XFS layer. “Ploutus malware exploits the extensions for Financial Services (XFS), the layer of software that instructs an ATM what to physically do,” the FBI explains.

In a normal scenario, an ATM application securely communicates through the XFS layer to gain authorization from the bank before opening the cash dispenser. However, Ploutus effectively cuts the bank out of the conversation. The report warns that “If a threat actor can issue their own commands to XFS, they can bypass bank authorization,” turning a secure vault into an unsecured cash dispenser.

Banks and ATM operators are urged to aggressively secure the physical enclosures of their machines, update their software stacks to prevent unauthorized execution, and monitor for the specific indicators of compromise (IOCs) tied to the Ploutus family.

Related Posts:

• Hackers steal $1 million from U.S ATMs by using Jackpotting attack
• ATM vendors warn: ‘Jackpotting’ Attacks Hit U.S. ATMs
• U.S. Department of Justice charges two men ATM “jackpotting”
• “React2Shell” Storm: China-Nexus Groups Weaponize Critical React Flaw Hours After Disclosure