The FBI on Feb. 19 issued a
FLASH alert warning financial institutions about a surge in
ATM jackpotting attacks, with more than $20 million stolen in well over 700 attacks in 2025 alone.
The alert describes how attackers use malware such as
Ploutus to force ATMs to dispense cash without the need to compromise a customer account. Ploutus malware works by issuing commands to the eXtensions for Financial Services (XFS) software layer that offers instructions for ATM actions, thus it lets attackers bypass bank authorization and instruct the ATM to dispense cash.
Attackers typically deploy such malware by
physically infiltrating the ATM, removing its hard drive and connecting it to their computer, or by replacing the hard drive with one preloaded with malware, according to the FBI. The alert notes that generic keys for ATM faces are widely available, emphasizing that changing standard locks offers one defense against ATM jackpotting.
“The malware can be used across ATMs of different manufacturers with very little adjustment to the code as the Windows operating system is exploited during the compromise,” the FLASH alert explains.
The FBI alert posts a list of indicators of compromise (IoCs) that organizations can use to help detect and prevent such attacks, including the names of malicious executable files and scripts and event IDs for USB insertion events.
It also notes that teams should routinely validate ATM file systems against a cryptographically verified “gold image,” with any deviation from baseline file hashes indicating a potential compromise.
FBI recommendations for preventing and detecting ATM jackpotting
The FLASH alert offers recommended mitigations in response to the recent rise in ATM jackpotting attacks, ranging from physical security and hardware defenses to network security and endpoint detection and response (EDR) measures.
The FBI recommends the use of threat sensors that monitor unusual vibration or temperature changes, which could indicate suspicious activity.
In addition to changing standard locks for ATM faces, financial institutions could also install keypads or other keyed barriers to components like the maintenance hatch and cashbox as another layer of defense. ATM security cameras should also offer a sufficient view to detect such attacks and preserve recordings for use in incident response and investigations.
Teams need to protect ATM hardware with security settings that enable preventative action when a combination of ATM jackpotting IoCs are detected, such as by entering an automatic shutdown that prevents cash from being dispensed, the FBI states.
Organizations can also use device whitelisting to prevent the connection of unauthorized devices and disk encryption to prevent external files from being introduced into an unplugged hard drive. Firmware integrity checks using the Trusted Platform Module 1.2, tracking components using Software Bills of Material (SBOMs) and Hardware Bills of Materials (HBOMs) and use of the Windows memory integrity feature are also recommended.
Enabling security audit policies such as “Audit Removable Storage” and “Audit Object Access” for targeted system access control lists (SACLs) ensures logging of potential ATM jackpotting events. The FBI also recommends organizations change any default credentials associated with ATM devices and audit their ATMs to ensure all security mechanisms are properly enabled.
“An audit of the device’s updates and security implementations on a test device in a pre-production environment could ensure they are operating in an expected way,” the guidance states.
Finally, the FBI recommends IP whitelisting to block potential remote attacks, software whitelisting, and the use of antimalware or antivirus software for endpoint protection, and threat readiness such as employee training and sharing of threat intelligence among industry groups as additional measures to combat ATM jackpotting.
“Familiarization with software updates and physical maintenance schedules could allow security personnel to easily identify unusual activity,” the alert notes.
