FBI Warns Banks: ATM 'Jackpotting' Losses Surged Past $20 Million in 2025

 

The FBI’s IC3 FLASH advisory warns of malware-enabled ATM jackpotting incidents and includes technical indicators and mitigation steps for operators.

Cybercriminals are emptying ATMs across the U.S. faster than ever, using malware to force machines to spit out cash like slot machines hitting a jackpot. The FBI is now urging financial institutions to lock down their fleets immediately.

In a stark new advisory issued on February 19, 2026, the Federal Bureau of Investigation (FBI) warned of a significant escalation in malware-enabled ATM "jackpotting" incidents. The alert, distributed via the bureau’s IC3 Flash system, provides critical technical details and indicators of compromise (IOCs) designed to help banks, independent ATM operators, and service providers harden their machines against this relentless threat.

The scale of the problem is far from trivial. According to FBI data cited in the advisory, out of nearly 1,900 jackpotting incidents reported since 2020, more than 700 occurred in 2025 alone, resulting in over $20 million in direct losses. This sharp spike in activity suggests that criminal groups are refining their techniques and expanding their operations, making it imperative for the industry to take notice.

What is ATM Jackpotting?

Unlike traditional ATM fraud that involves stealing card data or skimming PINs, jackpotting is a direct, brutal form of cyber-physical theft. Criminals don't need to touch a single customer account. Instead, they install malware on the ATM itself—or manipulate its firmware—to take control of the dispensing mechanism.

As the FBI explains in its latest public service announcement, these are fast "cash-out" operations. Attackers often work in teams, with one individual physically compromising the machine while another waits nearby to scoop up the cascading bills. By the time the bank’s monitoring systems flag an anomaly, the money is long gone and the criminals are in the wind.

The Mechanics of the Heist: Ploutus and XFS

The FBI’s advisory specifically calls out the Ploutus malware family, a notorious strain that has evolved over the years to become a favorite tool for jackpotting gangs.

The key to Ploutus’s effectiveness lies in its target: the eXtensions for Financial Services (XFS) layer. XFS is the standard middleware software that acts as a translator between the ATM’s Windows-based operating system and the physical hardware (the cash dispenser, pin pad, etc.).

In a legitimate transaction, the ATM application sends a command through XFS to dispense cash, but only after receiving authorization from the bank’s backend systems. Ploutus malware, however, allows the attacker to bypass this authorization entirely. By injecting their own commands directly into the XFS layer, they can instruct the ATM to dispense every note in the cassettes on demand, no bank approval required.

Why Physical Access is Still the Linchpin

While the malware is the weapon, getting it onto the machine is the battle. The FBI emphasizes that most of these attacks still begin with physical access.

Criminals often use widely available "generic" keys to open the top cabinet or service panel of the ATM. Once inside, they have several options to deploy the malware:

• Hard Drive Manipulation: Removing the internal hard drive, connecting it to a personal laptop to copy the malware onto it, and then reinstalling it.
• Drive Swapping: Replacing the original hard drive with a "foreign" drive preloaded with a compromised version of the ATM’s software.
• External Booting: Booting the ATM from an external device (like a USB or CD-ROM) loaded with the malicious code.

Because the attack exploits the underlying Windows operating system—which powers a vast majority of ATMs globally—the malware can often be used across different manufacturers (like NCR or Diebold) with minimal adjustment. The malware doesn't care about the brand logo on the bezel; it just needs to talk to the Windows API and the XFS layer.

What to Look For: IOCs and Red Flags

To help defenders catch these attacks in progress or during forensic analysis, the FBI has released a detailed list of indicators of compromise (IOCs). These artifacts have been observed on compromised ATMs and should trigger immediate investigation.

File and Process Indicators:
Defenders should scan for suspicious executables and scripts, including:

• Newage.exe
• Color.exe
• Levantaito.exe
• NCRApp.exe
• sdelete.exe
 (a legitimate Microsoft tool often abused to hide evidence)
• Promo.exe
• WinMonitor.exe
 / WinMonitorCheck.exe
• Anydesk1.exe
 (unauthorized remote access)
• Associated files like C.dat and Restaurar.bat

The advisory also includes specific MD5 hashes tied to these artifacts, allowing for proactive file hunting across the ATM estate.

Network and Persistence Anomalies:
Beyond files, the FBI warns against the abuse of legitimate remote access tools. Finding unauthorized installations of TeamViewer or AnyDesk on an ATM is a massive red flag. Additionally, investigators should check Windows registry locations for suspicious autorun entries and custom services designed to keep the malware persistent after a reboot.

Physical and Operational Alerts:
Because tampering is required, physical security logs are crucial. Operators should pay close attention to:

• ATM door-open alerts occurring outside of scheduled maintenance windows.
• USB insertion events, including the connection of keyboards, hubs, or flash drives.
• Unexpected low or no-cash states that don't align with legitimate transactions.
• Signs of hard drive removal or tampering.

Mitigation: Layered Defense is Key

The FBI’s guidance moves beyond detection to focus on hardening the environment, urging a "defense-in-depth" strategy.

1. Software and System Integrity:
The bureau recommends validating all ATM files against a trusted "gold image." Any deviation—especially unsigned or newly introduced binaries—should be treated as a potential compromise. Implementing strict device whitelisting can prevent unauthorized hardware from connecting, while disk encryption and TPM-based integrity checks can ensure the system hasn't been altered during a reboot.

2. Auditing and Monitoring:
Standard network monitoring often misses jackpotting staging activities. The FBI recommends a targeted audit policy focusing on removable storage usage, controlled file access, and process creation to catch criminals in the act of loading malware.

3. Physical Hardening:
The simplest advice is often the most effective: make it harder to get inside the machine. The FBI advises:

• Upgrading locks so generic "Vault" keys are useless.
• Installing alarms and sensors on service panels to detect movement or heat.
• Ensuring surveillance cameras have a clear view of the ATM and that footage is retained for a sufficient period.
• Limiting physical access to the cashbox area.

Reporting and Next Steps

The FBI encourages any organization that suspects a compromise to act quickly. Institutions should contact their local FBI field office or file a report through the IC3 (Internet Crime Complaint Center). When reporting, the FBI requests specific details, including bank/branch identifiers, ATM make and model, vendor information, and available logging data to assist in broader investigations.

With losses mounting and the tactics of these criminal networks becoming more sophisticated, the window for proactive defense is closing. As the FBI’s Flash advisory makes clear, waiting for an alert after the cash is gone is no longer a viable strategy.