The Federal Bureau of Investigation (FBI) in the United States has issued a warning regarding the rise in ATM jackpotting incidents nationwide, which could result in losses exceeding $20 million by 2025. According to the agency, 700 of the 1,900 ATM jackpotting incidents that have been reported since 2020 occurred last year. The U.S. Department of Justice (DoJ) reported in December 2025 that since 2021, jackpotting attacks have cost the country a total of approximately $40.73 million.

The FBI stated in a bulletin on Thursday that "threat actors use malware and physical and software flaws in ATMs to dispense cash without a legitimate transaction." Specialized malware, like Ploutus, is used in jackpotting attacks to infect ATMs and make them dispense cash.

Cybercriminals have typically been seen using widely accessible generic keys to open an ATM face in order to obtain unauthorized access to the machines. The malware is spread in at least two different ways: removing the hard drive from the ATM, then either connecting it to their computer, copying the file to the hard drive, reattaching it, and restarting the ATM, or replacing the entire thing with a foreign hard drive that has the malware already installed and restarting the ATM. The outcome is the same regardless of the approach taken.

In order to circumvent any security measures included in the original ATM software, the malware is made to communicate directly with the hardware.

As the underlying Windows operating system is exploited during the attack, the malware can be used against ATMs of different manufacturers with little to no code changes because it does not require a connection to an actual bank card or customer account in order to dispense cash. In 2013, ploutus was first spotted in Mexico. After installation, it gives threat actors total control over an ATM, allowing them to initiate cash-outs that, according to the FBI, can happen in a matter of minutes and are more difficult to identify until the money has been taken out.

According to the FBI, "Ploutus malware exploits the eXtensions for Financial Services (XFS), the layer of software that tells an ATM what to physically do."

"The ATM application uses XFS to send instructions for bank authorization when a valid transaction takes place. Threat actors can completely circumvent bank authorization and direct the ATM to dispense cash upon request if they are able to send their own commands to XFS. To help organizations reduce the risks associated with jackpotting, the agency has provided a lengthy list of recommendations.

Installing threat sensors, putting up security cameras, and replacing the standard locks on ATMs are some ways to increase physical security. Additional precautions include auditing ATMs, altering default login information, setting up an automated shutdown mode when compromise indicators are found, enforcing device allowlisting to stop unauthorized devices from connecting, and keeping logs.