I worked in NorCal for Brinks back in the late 90’s, and we were contracted by BofA and Wells Fargo at the time, so we could have $11 million or more on the table to be bagged for ATMs. Also, when we put that money into the ATMs, what cash was left was pulled to be counted and verified from what was withdrawn, so any abnormalities were discovered quickly. But I always found the large megacorp banks to be the best at keeping up their equipment and why I only use their ATMs. And I personally don’t trust private parties that run ATMs in public places who might not keep up their hardware, security updates… Also, don’t swipe your cards where they can read the magnetic strip, and only use the smart chip functionality which uses a new card number for each purchase. Online, your credit card company probably has a service to create virtual cards in a similar fashion, so you’re not using your main card number, putting it at risk. And using the tap to pay functionality is also using the smart chip and a new number per transaction. Consequently, there are also services that can give you virtual cards with privacy, provided you trust them not to be collecting transaction data to sell. All that to say, beware what machines you use, and inspect them for possible skimmers, including gas pumps, transportation terminals…
The malware allows hackers to get ATMs to release cash without obtaining bank authorization.
By Naveen Athrappully
The Federal Bureau of Investigation has issued a warning about rising nationwide incidents of “ATM jackpotting,” in which criminals hack into ATM machines to steal funds, the agency said in a Feb. 19 Flash alert.
“Threat actors exploit physical and software vulnerabilities in ATMs and deploy malware to dispense cash without a legitimate transaction. The FBI has observed an increase in ATM jackpotting incidents across the United States. Out of 1,900 ATM jackpotting incidents reported since 2020, over 700 of them with more than $20 million in losses occurred in 2025 alone,” the alert said.
To hack ATMs, criminals deploy jackpotting malware. This includes the Ploutus family of malware, which exploits a software layer in ATMs called eXtensions for Financial Services (XFS).
XFS instructs the ATM on what physical action it must take, such as dispensing cash. During a legitimate transaction, the ATM sends instructions via XFS to banks for authorization to release cash. However, if a threat actor achieves the ability to issue their own commands to XFS, they can bypass bank authorization, like with Ploutus.
“Once Ploutus is installed on an ATM, it gives threat actors direct control over the machine, allowing them to trigger cash withdrawals,” the alert said.
“Ploutus attacks the ATM itself rather than customer accounts, enabling fast cash-out operations that can occur in minutes and are often difficult to detect until after the money is withdrawn.”
The FBI listed several indicators of compromise and technical details of ATM jackpotting, and encouraged organizations to implement recommended mitigation measures to counter the threat. This includes ensuring security at the physical, hardware, logging, auditing, network security, and threat intelligence levels.
A major ongoing case of ATM jackpotting involves the Tren de Aragua gang, a designated Foreign Terrorist Organization. On Feb. 20, a federal grand jury charged six individuals with participating in a Tren de Aragua ATM jackpotting scheme, the Department of Justice (DOJ) said in a statement on Friday.
The individuals were charged for “their roles in a large conspiracy to deploy malware and steal millions of dollars from ATMs in the United States,” the DOJ said.
“Eighty-seven others have already been charged, bringing the total to 93 charged defendants.”
“The loss to victim financial institutions was in excess of $100,000 per jackpotting attempt. The overall loss to the victim financial institutions is over $6 million, with at least an additional $1.74 million attempted,” the DOH added.
Card Skimming
While the jackpotting scheme targets ATM machines and the banks that fund them, officials have warned about scams involving ATMs that specifically target customers.
Last month, the U.S. Secret Service announced it had investigated 60,000 point-of-sale card readers and terminals in 2025, identifying illegal card-skimming devices and preventing over $428 million in theft.
In card skimming, criminals attach a device to a card reader or payment terminal. When someone uses their card at a reader or terminal, skimming devices enable threat actors to steal card information, such as credit card numbers, CVV codes, expiration dates, and PINs.
Law enforcement agencies have seen a “nationwide increase” in skimming activities, especially targeting electronic benefits transfer (EBT) cards, the Secret Service said.
“EBT fraud targets the nation’s most vulnerable communities. Each month, money is deposited into government assistance accounts intended to help families pay for food and other basic items. This enables criminals who steal card information to time their fraudulent withdrawals and purchases around the monthly deposits,” according to the Secret Service.
“Criminals often steal EBT and other payment card numbers by installing illegal skimming devices on ATMs, gas pumps, and merchant point-of-sale terminals.”
People who use crypto ATMs are also at risk of being defrauded.
According to the FBI’s 2024 Internet Crime Report, published in April 2025, there were 10,956 complaints about cryptocurrency ATM/kiosk fraud in that year, resulting in $246.7 million in losses. Complaints rose by 99 percent from 2023, with losses rising by 31 percent.
Victims of crypto ATM fraud were duped via government impersonation scams, fraudulent investment schemes, and tech support scams, according to the report.