NextFin News - The Federal Bureau of Investigation (FBI) has released a comprehensive report detailing a significant escalation in ATM "jackpotting" attacks, revealing that cybercriminals successfully siphoned over $20 million from automated teller machines across the United States throughout 2025. According to a flash alert issued by the FBI on Thursday, February 19, 2026, the surge represents a critical shift in the threat landscape, with 700 of the 1,900 total incidents recorded since 2020 occurring in the last calendar year alone. These attacks, which involve the physical installation of malware to force machines to dispense cash on command, have become increasingly sophisticated, often executed in mere minutes by organized criminal syndicates.
The mechanics of these breaches, as outlined by the FBI, rely on a combination of physical intrusion and digital exploitation. Attackers typically use generic keys to bypass the ATM’s faceplate, allowing them to disconnect the internal hard drive or insert a malware-infected USB device. Once the malicious code—most notably the Ploutus strain—is introduced, it interacts directly with the ATM’s hardware via the Extensions for Financial Services (XFS) layer. This allows the software to bypass bank authorization protocols and dispense cash without ever accessing a customer’s account. The FBI noted that the speed of these "cash-out" operations makes them exceptionally difficult to detect in real-time, with many banks only discovering the loss after the physical currency has been removed.
The resurgence of jackpotting in 2025 is largely attributed to the involvement of transnational criminal organizations. In December 2025, the U.S. Department of Justice indicted 54 individuals linked to the Tren De Aragua gang, a Venezuelan-origin syndicate now classified as a foreign terrorist organization. According to Acting Assistant Attorney General Matthew Galeotti, these groups employ methodical surveillance and burglary techniques to facilitate their malware campaigns. The evolution of the Ploutus malware has further lowered the barrier to entry; while early versions required unique 8-digit keys and external keyboards, modern variants like Ploutus-D are designed to run on the Kalignite platform, which is used by over 40 different ATM vendors globally.
From a technical perspective, the vulnerability of the U.S. ATM infrastructure stems from its reliance on aging Windows-based operating systems and standardized hardware components. While European markets have seen a decline in such attacks—dropping to zero confirmed malware incidents in the first half of 2025 according to the European Association for Secure Transactions (EAST)—the U.S. remains a lucrative target due to slower adoption of hardware hardening standards. The FBI’s data suggests that the $20 million loss in 2025 is part of a broader trend that has seen over $40.7 million stolen via jackpotting since 2021. This disparity highlights a critical need for U.S. financial institutions to move beyond simple software patches and toward comprehensive physical security overhauls.
Looking ahead, the FBI and security analysts predict that ATM malware will continue to evolve toward remote execution and automated "mule" management. Current trends suggest that attackers are increasingly using encrypted hard drives and firmware checks to counter defensive measures. To mitigate these risks, U.S. President Trump’s administration has signaled a push for enhanced cybersecurity standards within the financial sector. The FBI recommends that operators implement non-standard locks, physical sensors to detect faceplate tampering, and automatic "out of service" modes triggered by unauthorized hardware disconnections. As criminal syndicates become more decentralized and technologically capable, the battle for ATM security will likely shift from the software layer to the physical integrity of the machine itself.
Explore more exclusive insights at nextfin.ai.
