A 19 February 2026 FBI FLASH (FLASH-20260219-001) alerts banks and ATM operators to an increase in malware-enabled "jackpotting," a trend that is currently observed nationwide in which criminals take advantage of software flaws and physical access to force machines to pay out cash without a legitimate transaction This article explores attacks atm dispense. . The alert focuses on Ploutus, a family of malware that targets ATMs and exploits eXtensions for Financial Services (XFS), the software layer that controls the actions of dispenser hardware.

Ploutus allows an intruder to issue commands and circumvent authorization, whereas the ATM app normally sends XFS commands for bank approval.

More than 700 of the approximately 1,900 jackpotting incidents since 2020 have occurred in 2025, resulting in losses of more than $20 million, according to FBI analysts who observed the activity while gathering technical information and indicators of compromise to assist organizations in responding. Ploutus attacks the ATM itself and can dispense cash without a bank card, customer account, or bank approval, allowing cash-outs to occur in minutes as opposed to fraud that steals card information. However, many crews start by opening the ATM face using widely accessible generic keys, and it might not be noticed until the machine is low on cash.

Mechanism of infection and on-box management Attackers can either remove the hard drive, connect it to another computer, copy the malware, reinstall it, and reboot it, or they can replace it with an external device or foreign drive that already has the payload on it, sometimes with a keyboard or USB hub plugged in. The malicious program communicates directly with hardware through XFS, so it may function even when the ATM is offline and network alerts are silent. This is because many ATMs run Windows, and the same strategy can be modified across manufacturers with only minor code changes.

Responders should search for unexpected executables like Newage.exe, NCRApp.exe, WinMonitor.exe, or sdelete.exe, new folders under paths like C:\Users\SSAuto1\AppData\Local\P, unauthorized remote tools like AnyDesk or TeamViewer, registry autoruns, or custom services with generic names like “ATM Service” and “Dispenser Service” in order to remain hidden. The FBI advises replacing standard locks, installing camera coverage and tamper sensors, turning on disk encryption, and whitelisting hardware devices. Turning on targeted Windows auditing to correlate USB insertion, file writes, process creation, and log clearing (Event IDs 6416, 4663, 4688, 1102), validating each ATM against a reliable gold image and baseline hashes, and reporting suspected jackpotting to a local FBI field office or IC3.

Set ZeroOwl as a Preferred Source in Google and use X, LinkedIn, and LinkedIn to receive more real-time updates.