Cashier Jackpotting: the theft that combines physical intrusion and malware to empty banks

The FBI's warning is not a science fiction story: last year the attacks known as "jackpotting" - in which criminals force ATMs to spit money using malware - had a worrying upturn. According to the technical alert published by the FBI banks and ATM operators received reports of more than 700 incidents in 2025 alone, in addition to a total of approximately 1,900 cases reported since 2020, and the estimated losses exceeded $20 million. We are not talking about complex remote frauds against cloud accounts, but about attacks that, in many cases, require physical entry into the machine and run within minutes.

To understand why these robberies are so effective it is useful to look at the cashier's heart: the layer of software that orders the physical hardware to do. Many ATMs use the standard known as eXtensions for Financial Services, or XFS. When a user makes a legitimate withdrawal, the ATM application sends instructions through XFS to ask the bank for authorization before releasing notes. Malware as Ploutus and more recent variants focus precisely on that layer: if an attacker can issue commands directly to XFS, can complete bank verification and order the cashier to dispense cash on demand, no card or associated account.

The procedure is not sophisticated in terms of engineering: it usually combines physical access and prior preparation. Forensics report that criminals get to open the housing with generic keys widely available, extract the cashier's hard drive or use ports to load software from removable media, and replace or overwrite the system image with another one containing malware. On other occasions, the machine is prepared in advance and the attacker only has to enter a new disk or device into the place and run the code. The result is an ATM that appears to operate normally until, suddenly, it starts to dispense notes without any valid registered operation.

These attacks often go unnoticed for entities until the cash has already disappeared. The combination of physical intrusion and system image manipulation makes many network monitoring solutions not detect malicious activity, because the cashier can continue to communicate with central systems or appear to be normal while the attack is running locally.

In view of this scenario, the FBI's own recommendation points to simple but effective measures: to audit the ATMs in search of unauthorized use of removable storage and unknown processes, and to apply validation of the integrity of the system's "gold" image to detect early manipulations. The combination of physical controls (key lock and custody, tamper- evidence seals, cameras) and logical controls (disable boot from USB, disk encryption, image verification, white process list) significantly reduces the opportunity window of the attackers. For those who want to deepen the operation of Ploutus and its evolution, there are technical analyses that explain its modus operandi, such as those published by security specialists. in ESET.

The increase in incidents has been accompanied by police and judicial activity. In the United States, research has focused on organized networks; the Justice Department has led charges against many people linked to large-scale schemes that would have used this type of malware to empty cashiers. Although legal persecution is complex and penalties vary according to jurisdiction and charges, these processes show that responsible groups can become transnational organizations with the capacity to coordinate criminal logistics and the engineering of malicious software. To access official communications and actions, the website of the Department of Justice It's the institutional reference.

What can financial institutions and ATM operators do right now? In addition to audits and image validation, there are specific measures that reduce exposure: physically protect units, strictly control who has access to keys and internal components, make hardware and software inventories, implement detection of unauthorized USB devices and, very important, maintain rapid response procedures when an intrusion is detected. Collaboration between industry and security agencies is also essential: sharing commitment indicators and observed tactics helps prevent imitations and variants of malware.

For regular cashiers, the direct risk is limited (attacks point to the cashier itself, not to specific accounts), but it is appropriate to maintain a vigilant attitude: if an cashier shows signs of physical manipulation, functions erratically or does not offer receipt, it is preferable to use another terminal and warn the bank. In the age in which software increasingly defines hardware behavior, physical security and cybersecurity must walk together to prevent an ATM from becoming a control-free register.

This type of attack reminds us that technological security is not just a matter of patches and firewalls: it is a discipline that mixes human controls, processes and technology. The current FBI evidence and recommendations emphasize that intervening in each of these layers - from key management to system image integrity - is the only way to narrow the fence over those who turn an ATM into a vending machine of illicit money. For more context and journalistic follow-up on these facts and their evolution, specialized media such as BleepingComputer provide constant and up-to-date coverage.