Financial institutions are being warned by the Federal Bureau of Investigation (FBI) in an emergency FLASH alert about an increase in ATM jackpotting attacks in the US This article explores malware operate atms. . The alert describes technical information and indicators of compromise (IOCs) associated with the Ploutus malware family, which enables thieves to coerce ATMs into disbursing cash without a customer account or bank card.

Since 2020, the FBI has received reports of over 1,900 ATM jackpotting incidents. In 2025 alone, there were more than 700 of those incidents, with losses totaling more than $20 million. According to the agency, threat actors are infecting ATMs with malware by taking advantage of both software and hardware flaws. The Operation of Ploutus Malware Instead of focusing on consumer bank accounts, Ploutus targets the ATM itself.

It takes advantage of the eXtensions for Financial Services (XFS) software layer, which manages hardware operations like dispensing cash. Normally, only after bank authorization does ATM software transmit commands to XFS. Attackers can circumvent bank approval and initiate unauthorized cash withdrawals, though, if they are able to send their own commands to XFS.

With only minor code modifications, the malware can operate on ATMs made by various manufacturers and runs on Windows-based systems. Once installed, it allows attackers to take direct control of the dispenser, allowing for quick "cash-out" operations that can empty an ATM in a matter of minutes. Threat actors usually obtain physical access by using generic keys they bought online to open ATM cabinets.

After removing the hard drive, they either install malware on it or swap it out for a malicious drive that has already been installed. The malware becomes active after the ATM is rebooted. Suspicious executables like Newage.exe, Levantaito.exe, WinMonitor.exe, and Anydesk1.exe are among the digital indicators found on compromised computers.

Additionally, the FBI discovered unauthorized remote access tools like TeamViewer and AnyDesk, custom services with misleading names like "ATM Service" or "Dispenser Service," and unusual registry autoruns. Unexpected process creation (Event ID 4688), USB insertion events (Event IDs 6416 and 4663), or cleared audit logs (Event ID 1102) can all be found in security logs. Physical warning indicators include machines that abruptly stop working, unapproved USB devices, and ATM doors that are opened outside of scheduled maintenance.

Guidelines for Mitigation and Reporting The FBI suggests a multi-layered approach to defense. Improved camera coverage, internal keypads, temperature and vibration sensors, and updated locks are examples of physical controls. It's also advisable to activate hardware safeguards like memory integrity features, device allowlisting, firmware integrity checks with Trusted Platform Modules, and disk encryption.

Institutions should implement targeted audit policies, enable removable storage monitoring, log process creation, and compare file hashes to a reliable "gold image" baseline. Unsigned binaries or unexpected executables should be regarded as possible compromises.

Targets for Audit Policy Event IDs Insertion of 6416 USB Removable Storage File System 4663 C:\Users\Public, middleware, writable services, ATM app dirs Creation of Processes 4688 Unexpected exes, cmd lines (enable ProcessCreationIncludeCmdLine_Enabled=1) Financial institutions are encouraged to report suspicious activity to the Internet Crime Complaint Center (IC3) or to their local FBI field office. In order to stop additional ATM jackpotting losses, the FBI emphasized the importance of early detection and stringent physical security measures.