US ATMs ‘spitting out cash’ without cards? FBI sounds alarm over $20 million jackpotting surge

The Federal Bureau of Investigation has issued a nationwide alert warning in US banks and financial institutions about a sharp rise in “ATM jackpotting” attacks - a form of cyber-enabled theft that allows criminals to force cash machines to spit out money without any legitimate transaction, reported TOI.

With losses mounting and attacks accelerating, authorities warn that ATM jackpottingse (IOCs) linked to malware used in these attacks, urging organisations to tighten security controls and report suspicious activity.

The scale of the threat is growing. Since 2020, nearly 1,900 ATM jackpotting incidents have been reported across the United States. Alarmingly, more than 700 of those cases, resulting in losses exceeding $20 million, occurred in 2025 alone.

How malware turns ATMs into cash dispensers

According to the report, at the heart of the surge is malware from the Ploutus family, a tool specifically designed to hijack ATMs. Instead of targeting customer accounts, Ploutus attacks the machine itself.

The malware exploits the eXtensions for Financial Services (XFS) software layer — the system that tells an ATM how to physically function. During a legitimate transaction, the ATM software sends instructions through XFS to verify bank authorisation before dispensing cash. But if criminals manage to inject their own commands into the XFS layer, they can override those checks entirely.

Once installed, Ploutus grants attackers direct control over the ATM. They can trigger cash withdrawals without a bank card, account credentials or approval from the bank.

Because the attack targets the hardware and system software, often running on Windows, it can be adapted for use across machines from different manufacturers with minimal modification.

TOI further reported that these “cash-out” operations can unfold in minutes, and by the time the machine runs dry or triggers alerts, the perpetrators are often long gone.

Physical access remains the weak link

Most jackpotting attacks begin with physical access to the ATM. According to the FBI, criminals frequently use widely available generic keys to open ATM panels. Once inside, they deploy malware using one of two common methods:

Removing the ATM’s hard drive, connecting it to a separate computer to copy malware onto it, then reinstalling and rebooting the machine.

Replacing the original hard drive with a compromised drive or external device preloaded with malicious software, noted the report.

Because the malware operates independently of the ATM’s standard banking communications, it can dispense cash without interacting with customer accounts or triggering traditional fraud detection systems.

Red flags to watch For

The FBI has outlined several physical warning signs that may indicate a compromised ATM:

• ATM door alerts outside scheduled maintenance windows
• Unexpected “low cash” or “no cash” notifications
• Unauthorised devices connected to the machine
• Missing or tampered hard drives
• ATMs suddenly marked out of service

The agency is encouraging financial institutions to review physical security protocols, monitor for unusual service patterns and share information about suspicious activity.