North America

FBI warns ATM jackpotting surges past 700 attacks in 2025

Windows-based XFS layer enables malware like Ploutus, banks answer with surveillance not hardware hardening

Images

Barnaby Jack, the late security researcher credited with the first ATM “jackpotting” attacksImage Credits:YouTube Barnaby Jack, the late security researcher credited with the first ATM “jackpotting” attacksImage Credits:YouTube Image Credits:YouTube
Zack Whittaker Zack Whittaker techcrunch.com

ATM “jackpotting”—forcing cash machines to spit out banknotes on command—has graduated from conference-stage stunt to routine crime, and the FBI says the business is booming.

In a security bulletin cited by TechCrunch, the FBI reports more than 700 jackpotting attacks on cash dispensers in 2025, with at least $20 million stolen. The pattern is depressingly consistent: attackers combine physical access (generic keys, weak locks, access to internal ports or hard drives) with malware that takes control of the ATM’s software stack.

One malware family singled out is Ploutus, which targets the Windows operating system still running many ATMs. The trick is not to hack customer accounts but to commandeer the machine itself. Ploutus abuses the “Extensions for Financial Services” (XFS) layer—middleware used by ATMs to talk to hardware components like the PIN pad, card reader, and cash dispenser. Once an attacker can issue XFS commands, “dispense cash” becomes just another API call.

The FBI notes that these cash-outs can happen in minutes and may not be detected until after the money is gone. The monitoring model is often post-facto reconciliation, not real-time tamper resistance.

This is what aging infrastructure looks like when it meets adversaries who are allowed to touch the box. The industry’s decision to keep Windows-based systems in the field for years is not merely technical debt; it is an incentive problem. Banks and ATM operators optimize for uptime, fleet manageability, and vendor lock-in. The downside risk of physical compromise is frequently socialized—absorbed as losses, insurance, or “operational costs” that ultimately flow back to customers via higher fees and tighter “risk controls.”

And those “controls” are rarely the expensive, effective ones. Replacing insecure hardware, redesigning enclosures, deploying tamper-evident seals, hardening boot chains, or using secure elements costs money and creates maintenance friction. The cheaper response is surveillance and friction: more cameras, more geofencing, more transaction monitoring, more identification checks, and more restrictions that inconvenience legitimate users.

Jackpotting shows that cybersecurity isn’t purely digital. The attack chain begins with access: keys that shouldn’t exist, panels that open too easily, ports that are reachable, drives that can be swapped, and systems that trust local commands. A bank can lecture customers about strong passwords all day; it won’t help when the criminal’s “password” is a master key and a USB stick.

The FBI warning implicitly points to the real fix: treat ATMs as high-value, hostile-environment computers. Until then, the industry will continue to prefer an optics-first strategy—announce “enhanced security measures,” then pass the bill to the public one fee at a time.