Cashier Jackpotting Alert a new digital assault that forces money out without transactions

ATMs have again been targeted by a massive campaign of digital theft, but this time the weapon is not a skimmer hidden in the card slot but malicious software that forces the machine to spit notes without a legitimate transaction. The U.S. Federal Bureau of Investigations (FBI) has warned about a significant increase in such incidents, known in the argot as "jackpotting": since 2020, almost 1,900 attacks have been reported and in the last year alone, about 700 were recorded, with losses exceeding 20 million dollars in 2025, according to the FBI itself in its technical bulletin.

Behind many of these episodes is a specialized malware, with names that researchers have already identified and studied for years. A paradigmatic example is Ploutus, originally detected in Mexico in 2013, which allows attackers to take direct control of the ATM hardware. Unlike a traditional bank fraud, you don't need to clone a card or access customer accounts here: the aim is to force the cashier to dispense cash by malicious commands that the infected software sends to the dispenser itself.

The attack combines two critical ingredients: physical vulnerabilities and weaknesses in the software. In many cases, criminals achieve simple physical access by opening the front cashier housing with generic and widely available keys. With that entry, they have time to manipulate the equipment internally and start the infection process. A frequent technique is to remove the hard drive from the cashier, copy or replace its content with an image containing malware and reassemble and restart the machine. Another variant is to replace the disk with one already prepared with the malicious software, so that when you turn on the computer the attack runs immediately.

What makes the defense particularly difficult is that malware does not operate at a surface level of the ATM's bank application, but rather communicates with the layer that controls the hardware: in most cashiers that interaction is handled by the XFS (eXtensions for Financial Services) specification. If an attacker is able to issue his own instructions to that layer, he can completely ignore bank authorization and order the expulsion of cash on demand. Moreover, much of these machines work on Windows systems, making it easier for the same set of malicious tools to be adapted with few changes to different manufacturers' cashiers. The technical description can be found in Wikipedia (CEN / XFS) and about Ploutus in your specification.

The speed of the attack is another reason why they are attractive to criminals: once the software is in place, a "cash-out" can occur in minutes and usually goes unnoticed until the cash has already been withdrawn. The U.S. Department of Justice. The U.S. and the FBI have been tracking the phenomenon and documenting cumulative losses that reach tens of millions of dollars in recent years; for an official and technical reading on the nature of these incidents and recommendations, the FBI issued a notice summarizing the threat and suggested measures ( FBI IC3 newsletter).

In view of this scenario, the response cannot be digital or physical only: it must combine both. The recommendations offered by the authorities insist on strengthening access control and surveillance around the cashiers, changing standard locks for safer solutions and equipping machines with sensors that detect outfits or manipulations. The logic is clear: without the possibility of physical access, much of the infection chains are frustrated. But that's not enough.

At the level of software and ATM park management it is advisable to regularly audit devices, remove default accounts and credentials, and implement "allowing" policies that prevent the connection or use of unauthorized storage devices. It is also recommended that ATMs have automatic shutdown or quarantine modes where commitment indicators are detected, and that teams keep detailed activity records to enable the reconstruction of events and facilitate forensic investigation. These measures help to close the routes that exploit both physical access and the handling of the underlying operating system.

The human factor must not be forgotten: the training of staff who maintain and review these equipment is key to the detection of anomalies in time. Something as routine as the visual inspection of security stamps, the verification of activity records or the verification that locks and sensors work properly can make the difference between a failed attempt and a real loss.

While the threat of jackpotting attacks is not new, their persistence and the sophistication of the methods used force banks, ATM operators and authorities to coordinate more intensively. From the citizen's point of view, the direct risk is often lower (the attackers seek physical cash on machines, not personal accounts), but the economic and confidence impact is palpable for the industry. For those who want to deepen the technical aspects and the evolution of the problem, in addition to the FBI newsletter there is extensive technical and journalistic coverage that tracks similar incidents at the global level; reviewing historical analysis of jackpotting helps to understand how tactics change and what practices have proved to be more effective in mitigating them.

The main lesson is double and urgent: strengthen the physical security of the ATMs and not underestimate the attack surface of the software that governs your hardware. Both halves of the problem must be strengthened simultaneously to reduce the window that the attackers exploit and to minimize economic losses and damage to public confidence.