ATM “jackpotting” has moved from a conference-stage demonstration into a sustained criminal operation, with the FBI reporting more than 700 attacks on cash dispensers in 2025 that produced at least $20 million in losses, driven by a mix of physical access methods and malware that gives attackers direct control over machines.
From Onstage Demo To Criminal Method
The technique traces back to 2010, when security researcher Barnaby Jack demonstrated an ATM exploit onstage at the Black Hat security conference and forced a machine to eject cash in front of an audience. More than a decade later, the same class of attack now appears in routine criminal activity, according to a new FBI security bulletin.
The bureau said attackers have “rapidly ramped up” activity in recent years. In 2025 alone, it counted over 700 incidents targeting cash dispensers, with total losses of at least $20 million in stolen notes.
How The Attacks Are Carried Out
The bulletin describes two main approaches. One relies on physical access to the machines, including the use of generic keys to open front panels and reach internal components such as hard drives. The other relies on digital tools, including malware planted on the ATM to force it to dispense cash quickly.
Both approaches focus on the machine itself rather than on customer accounts, a detail the FBI highlighted as a reason the thefts can be completed in a short time and remain unnoticed until after the cash is gone.
Ploutus And The Windows-Based ATM Stack
The FBI singled out one malware family, known as Ploutus. According to the bulletin, it affects a variety of ATM manufacturers and cash dispensers by targeting the Windows operating system that powers many machines. Once installed, Ploutus grants attackers full control over the compromised ATM and allows them to issue instructions that cause the dispenser to release cash without drawing funds from customer accounts.
Ploutus exploits the Extensions for Financial Services, or XFS, software layer. ATMs use XFS to communicate with hardware components such as the PIN keypad, the card reader, and the cash dispensing unit. By abusing this interface, the malware can direct the dispenser to pay out notes on command.
“Ploutus attacks the ATM itself rather than customer accounts, enabling fast cash-out operations that can occur in minutes and are often difficult to detect until after the money is withdrawn,” the FBI said in the bulletin.
Prior Research On XFS Weaknesses
The warning follows earlier work by security researchers who identified problems in XFS software that could allow attackers to trick ATMs into dispensing cash. Those findings focused on weaknesses in the software layer rather than on account compromise, a distinction that matches the FBI’s description of current attacks.
Sources referenced include the FBI security bulletin and prior research by security researchers on XFS-related issues.
Featured image credits: Collections – Get Archive
For more stories like it, click the +Follow button at the top of this page to follow us.