The FBI has issued a nationwide warning as ATM “jackpotting” malware attacks surge across the United States, causing millions of dollars in losses.
 |
| Federal authorities warn that criminals are physically installing malware into ATM hard drives, bypassing bank systems and triggering unauthorized cash withdrawals. Image: CH |
Fintech Desk – February 25, 2026:
A sharp rise in sophisticated ATM malware attacks across the United States has prompted a formal warning from the Federal Bureau of Investigation, as financial institutions grapple with a growing cyber-physical threat known as “jackpotting.”
The scheme, which turns cash machines into what investigators describe as remote-controlled money dispensers, allows criminals to withdraw large amounts of cash without using a bank card, customer account, or bank authorization. Instead of targeting customer data, attackers compromise the ATM itself.
According to federal authorities, more than 1,900 jackpotting incidents have been reported nationwide since 2020. In 2025 alone, over 700 attacks resulted in financial losses exceeding $20 million, underscoring the accelerating scale and sophistication of the threat.
Unlike traditional cyber fraud, jackpotting is a direct machine-level attack. Criminals deploy specialized malware designed to manipulate the ATM’s internal software, particularly the system that coordinates communication between hardware components and transaction-processing programs. By inserting malicious code, attackers can instruct the ATM to dispense cash on command, bypassing bank approval systems entirely.
The malware most commonly associated with these attacks, known in cybersecurity circles as “Plautus,” is engineered to override standard safeguards. Once active, it communicates directly with the ATM’s internal hardware, triggering rapid cash withdrawals within minutes. Because no customer accounts are accessed, the breach may go undetected until after the money has already been taken.
Investigations reveal that many of these attacks involve physical access to the machine. In numerous cases, fraudsters open the ATM cabinet, remove its internal hard drive, and connect it to a separate laptop to install malware. The compromised drive is then reinserted into the machine. In other instances, criminals replace the original hard drive entirely with one preloaded with malicious software. When the ATM is restarted, the malware activates automatically.
This hybrid approach — combining physical tampering with advanced malware — presents new challenges for banks and law enforcement. Traditional cybersecurity systems are primarily designed to protect digital networks, not hardware that can be physically accessed and manipulated.
The FBI’s advisory outlines technical warning signs and urges banks to strengthen both digital defenses and physical security controls. Recommended measures include reinforcing ATM enclosures, monitoring for unauthorized access, restricting USB and external device ports, and ensuring software updates are applied promptly.
The surge in jackpotting reflects a broader evolution in financial crime. As banks improve online security and customer authentication systems, cybercriminals are increasingly targeting infrastructure itself. By attacking the ATM rather than individual accounts, fraudsters bypass multi-factor authentication, transaction alerts, and other safeguards designed to protect consumers.
Security analysts warn that unless preventive measures are expanded, jackpotting could spread further, particularly as ATM models age and vulnerabilities remain unpatched. The FBI’s warning signals growing concern that the technique may continue to evolve, potentially incorporating remote exploitation methods alongside physical intrusion.
In an era where automated teller machines remain central to daily banking, the latest wave of attacks highlights a stark reality: even longstanding financial technologies can become prime targets when digital and physical vulnerabilities intersect.Ll