North America

FBI flags surge in ATM jackpotting

Ploutus malware exploits Windows XFS stacks, compliance theater meets physical access

Images

Barnaby Jack, the late security researcher credited with the first ATM “jackpotting” attacksImage Credits:YouTube Barnaby Jack, the late security researcher credited with the first ATM “jackpotting” attacksImage Credits:YouTube Image Credits:YouTube
Zack Whittaker Zack Whittaker techcrunch.com

ATM “jackpotting” is what happens when legacy cash infrastructure meets a threat model designed for auditors, not adversaries.

According to TechCrunch, the FBI has issued a bulletin warning that “jackpotting” attacks are rising sharply, citing more than 700 attacks on cash dispensers in 2025 and at least $20 million in stolen cash. The method is refreshingly direct: criminals gain physical access to an ATM—sometimes using generic keys to open front panels and reach internal components—then deploy malware that commands the machine to dispense banknotes on demand.

What’s notable is the target. The FBI says these attacks hit the ATM itself rather than customer accounts, enabling “fast cash-out operations” that can be completed in minutes and may not be detected until after the money is gone. No phishing campaign, no credential stuffing, no account takeover. Just a compromised endpoint that obediently turns into a cash cannon.

The bulletin highlights a malware family called Ploutus, which TechCrunch reports targets the Windows operating system still powering many ATMs. Ploutus can grant full control over a compromised machine and exploit the Extensions for Financial Services (XFS) layer—the middleware ATMs use to talk to hardware modules like the card reader, PIN pad, and dispenser. Security researchers have been warning about XFS weaknesses for years; the late Barnaby Jack famously demonstrated on-stage ATM cashouts at Black Hat back in 2010.

So why is this still a thing in 2025? Because the incentives are backwards. Banks and ATM operators optimize for compliance checklists (patch cadence, vendor attestations, “secure” configurations on paper) while the real attack surface is physical access plus monoculture software. If a large share of ATMs rely on a similar Windows/XFS stack, criminals don’t need brilliant new ideas—just scalable ones.

Then comes the question no bulletin answers: who eats the loss? Jackpotting doesn’t debit customer accounts, so the PR-friendly line is “customers are safe.” But the cash still vanishes. The bill lands on banks, independent ATM operators, or merchants hosting machines—ultimately folded into fees, higher prices, and the usual “fraud prevention” surcharges.

The predictable policy response will be to “secure cash” by treating everyone like a suspect: more surveillance around ATMs, more telemetry, more centralized controls, and—if history is any guide—more vendor lock-in sold as safety. The same institutions that can’t reliably secure a box bolted to the floor will lobby for more control over how everyone else moves money.

Jackpotting isn’t a mystery. It’s a business model enabled by brittle infrastructure and a governance culture that mistakes paperwork for security.