A full ten years back, folks stared wide-eyed when Barnaby Jack made an ATM cough up stacks of bills right during his talk at Black Hat. That moment live, real, no edits showed a weak spot most never thought about before. Back then, messing with ATMs felt more like tech theater than actual crime. Now? Pulling money machines apart is part of a steady underground playbook. The FBI just put out a warning: crooks aren’t just poking around anymore. They’re smashing their way in, loading stealthy code, walking away with bags full of stolen cash. Every year, the total climbs higher. What looked like magic once now fuels quiet thefts across cities.
Just last year, thieves hit ATMs in over 700 separate break-ins nationwide. Each time, they walked away with stacks of bills adding up to twenty million dollars lost by banks so far. Since 2020, law enforcement has logged close to 1,900 such heists. Instead of just guessing their way through defenses, hackers now climb inside machines while also running software tricks behind the scenes. What once sounded like movie fiction is now a routine tactic pulled off by coordinated crews.
Inside the metal box, someone slips a common key into the slot up front. That little door swings open without much fuss. A hand reaches past wires toward the storage unit tucked deep within. Sometimes, that piece comes right out plugged into another device nearby. Code gets swapped while the screen stays dark. Back it goes, clicking shut like nothing changed. Frequently, these criminals swap out the hard drive for one already infected with malicious code. Alongside such hands-on tampering comes powerful software enabling them to take control of the machine straight from within.
A widely seen type of ATM malware goes by the name Ploutus. This digital threat works deep inside machines using Windows software. From there, thieves take full command of the device, sending orders to spit out money nonstop. Instead of going after bank records, it hits the hardware directly. Cash vanishes fast sometimes thousands in under five minutes while accounts stay untouched. That silence helps the crime slip past alarms until much later.
From deep within an ATM’s operation, Ploutus malware takes hold using something called XFS – short for eXtensions for Financial Services. This framework usually links the machine’s brain to parts such as the card slot, number pad, and money drawer. When things run normally, XFS checks that each withdrawal gets approved through proper banking channels. Yet once infected, the malware twists these signals, cutting out approval steps entirely while forcing the machine to spit out bills on command. Because so many ATMs rely on similar XFS setups, slight tweaks let attackers hit various brands without rewriting most of their code. In motion, it turns standardized design into a weakness rather than a strength.
Careful planning marks how these operations unfold, according to the FBI’s alert. Before moving in, attackers study machines watching alarms, scanning camera angles to find gaps. With entry secured, thieves pull out stacks fast, one after another, draining entire reserves almost instantly. Since the breach hits the device itself, not personal balances, neither bank staff nor users catch it right away. Often, silence follows until someone notices the drawer stands bare.
Back in 2013, signs of Ploutus showed up during attacks on cash machines across Mexico. Instead of needing complex tools, hackers could drain devices by plugging in a physical keyboard or triggering actions via text messages. Through time, new versions popped up each version sharper than the last. Now, specialists see it as one of the toughest threats ever found inside ATMs. Different brands have fallen victim, even models made by Diebold Nixdorf and those running on Kalignite systems. Its reach keeps growing, quietly adapting along the way.
Began in early 2024, by late 2025 a crew from Venezuela known as Tren de Aragua had pulled off thefts using Ploutus malware across 63 U.S. ATMs, walking away with no less than $5.4 million. Though their sights were set on another $1.4 million, several attempts fizzled out before reaching success. Some machines coughed up nearly $300,000 in one go, though it was more common for each hit to clear over $100,000. Before acting, they watched every detail alarm systems, surveillance, anything that could signal trouble. Behind such moves lies coordination once unseen in street-level crime.
A warning from the FBI spells out steps financial institutions can take to secure their ATMs. On computers using Windows, look for strange programs, odd script behavior, or folders appearing without explanation. Sometimes clues show up outside the system like unapproved USB sticks plugged in, ATM enclosures pried open, or storage units gone missing. Watch the XFS log data with care, reporting anything off straight away to either the FBI or the online crime reporting hub. Knowing how hackers work, both inside systems and on-site, makes a big difference when it comes to stopping theft before it happens.
One way to look at it: ATM jackpotting isn’t like stealing cards or copying details. Instead of grabbing user info such as PINs and account numbers, hackers go after the machine directly. Even though people using ATMs aren’t personally affected, banks often face huge losses each year. Because of this, protecting both physical parts and internal systems becomes critical. The risk hits hard security gaps can cost millions.
Most experts agree safety works better when layered. Machines bolted shut make breaking in harder.
Updates keep systems ahead of new tricks hackers try. Watching data flow helps spot odd patterns fast. Workers who know what to look for catch problems early. Strong bolts plus smart code slow down most threats. Cash stays safer when defenses work together. Fewer gaps mean fewer chances for theft.
ATM jackpotting’s rise shines a light on deeper issues within banking security systems.
Digital dependence in finance opens doors wider for malware, ransomware, and similar dangers. Instead of seeing Ploutus as an outlier, it reveals how criminals target weak links where machines meet code. Staying safe means banks keep adapting defenses constantly updating tools against new tricks. Surprise often comes not from flashy hacks but quiet flaws hidden in plain interactions.
What started as one researcher’s experiment now fuels organized crime. Instead of breaking accounts, thieves use malware like Ploutus to trick ATMs into spitting out money hardware and XFS flaws make it possible. By 2025, more than 700 cases had bled over twenty million dollars from banks. Watching the machines matters just as much as guarding their code; updates alone won’t stop everything. Workers must recognize warning signs before transactions turn suspicious. Rising numbers mean delays cost too much silence feeds loss. Staying ready, spotting early signals, speaking up fast that shapes defense today.
