Thieves stole more than $20 million from compromised ATMs last year using a malware-assisted technique that the FBI says is on the uptick across the United States.
They are doing this through ATM jackpotting – a cyber-physical attack in which crooks exploit physical and software vulnerabilities in ATMs to deploy malware that instructs the machine to dispense cash on demand without bank authorization. Of the 1,900 such incidents reported since 2020, more than 700 occurred in 2025 alone, according to a Thursday security alert [PDF].
Crims typically gain initial access via generic keys that open the ATM face, and then infect the machine with malware, either removing the ATM’s hard drive and copying malware onto it before putting it back into the machine, or simply replacing the hard drive with one that’s preloaded with ATM jackpotting code.
Ploutus malware, which is commonly used in these attacks, exploits eXtensions for Financial Services (XFS), an open-standard API that ATMs, POS terminals, and similar devices that run banking applications use. It allows the banking software to work across different vendors’ hardware and instruct the ATM what to do – for example, send this transaction to the bank for authorization, and then dispense cash to the customer.
The malware, however, allows the attackers to issue their own commands to XFS, bypass bank authorization, and instruct the ATM to dispense cash on demand.