FBI Says ATM ‘Jackpotting’ Attacks Are on the Rise, and Netting Hackers Millions in Stolen Cash

The phenomenon of ATM jackpotting, once a curiosity showcased by Barnaby Jack at Black Hat, has matured into a multi‑million‑dollar criminal operation. Early demonstrations proved the concept, but today organized groups leverage both hardware tampering and sophisticated software to breach cash machines worldwide. This evolution underscores how legacy systems, built on generic Windows platforms and XFS interfaces, remain attractive targets for cyber‑physical attacks.

According to the FBI’s latest bulletin, 2025 saw more than 700 successful jackpotting incidents, yielding roughly $20 million in illicit cash. Central to these breaches is Ploutus malware, which hijacks the ATM’s operating system and manipulates XFS commands to force the dispenser to release notes without debiting any account. Attackers typically gain initial entry by using universal keys to open the front panel, then install the payload on the machine’s hard drive. Once active, the code can execute a “cash‑out” command in seconds, often leaving no immediate forensic trace until the money is gone.

For banks and ATM operators, the rise of jackpotting demands a reassessment of both physical and cyber defenses. Upgrading to hardened, non‑Windows operating systems, implementing tamper‑evident seals, and deploying real‑time monitoring of dispenser commands are becoming industry standards. Regulators are also urging tighter reporting requirements and coordinated threat‑intelligence sharing. As attackers refine their tools, the financial sector must adopt a layered security posture to protect cash assets and maintain consumer confidence.