FBI Warns of ATM Jackpotting Surge as Losses Top $20

FBI Issues ATM Jackpotting Alert

The Federal Bureau of Investigation (FBI) has issued a Private Industry Notification (PIN) warning financial institutions about a significant surge in ATM jackpotting attacks across the United States. Total losses from these incidents exceeded $20 million in 2025, representing a sharp increase over previous years.

Jackpotting — the practice of forcing ATMs to dispense large volumes of cash on demand — has escalated from isolated incidents to a coordinated, nationwide campaign hitting regional banks and credit unions particularly hard.

How ATM Jackpotting Works

ATM jackpotting exploits either the hardware or software of cash machines to override normal dispensing controls. Two primary methods dominate the current threat landscape:

Method 1: Malware-Based (Black Box) Attacks

Physical Access — Attacker gains access to the ATM's internal computer, often by drilling or prying open the top hat (upper housing)
Malware Installation — Specialized malware such as Ploutus, Tyupkin, or GreenDispenser is loaded via USB or CD
Remote Trigger — The malware is activated remotely or via a hidden keyboard sequence
Cash Dispensing — The ATM is instructed to empty its cassettes, dispensing all available cash

Method 2: Hardware-Based (Black Box) Attacks

Disconnect Controller — The attacker disconnects the ATM's internal computer from the cash dispenser
Attach External Device — A custom "black box" device is connected directly to the dispenser's communication port
Send Commands — The device sends legitimate dispense commands directly to the hardware
Collect Cash — Cash is dispensed without any transaction record in the ATM's software logs

Scale of the Problem

Metric	2024	2025	Change
Reported Incidents	87	214	+146%
Total Losses	$8.2M	$20.4M	+149%
Average Loss per Incident	$94,250	$95,300	+1%
States Affected	14	31	+121%
ATM Models Targeted	6	12	+100%

Most Affected Regions

The FBI noted that attacks have spread well beyond major metropolitan areas:

Southeast US — Highest concentration of incidents (Florida, Georgia, North Carolina)
Midwest — Rapid increase in attacks on standalone ATMs (Ohio, Michigan, Illinois)
Southwest — Growing activity along border states (Texas, Arizona)
Northeast — Targeted attacks on older ATM fleets (Pennsylvania, New York)

Affected Institutions

Regional banks and credit unions have borne the brunt of the attacks due to several factors:

Older ATM hardware with known vulnerabilities and outdated firmware
Fewer physical security controls (no guards, limited surveillance)
Standalone ATM placements in convenience stores, gas stations, and strip malls
Slower patch cycles compared to major national banks
Limited cybersecurity budgets for ATM fleet management

The FBI specifically noted that ATMs running Windows XP or Windows 7 — both past end-of-life — are disproportionately targeted.

FBI Recommendations

The FBI's PIN includes specific technical and operational recommendations for financial institutions:

Immediate Actions

Update ATM operating systems to supported versions (Windows 10/11 for ATMs)
Apply all available firmware patches from ATM manufacturers
Enable full-disk encryption on ATM hard drives
Disable USB and external media ports or implement strict device whitelisting
Implement BIOS passwords to prevent unauthorized boot modifications

Physical Security

Install tamper-evident seals on ATM cabinets and top hats
Deploy surveillance cameras with clear sightlines to ATM access panels
Use alarm systems that trigger on unauthorized cabinet access
Conduct regular physical inspections of ATM housings for signs of tampering
Relocate standalone ATMs to well-lit, high-traffic areas where feasible

Monitoring and Detection

Implement real-time transaction monitoring that flags unusual dispense patterns
Alert on after-hours dispense activity outside of normal transaction volumes
Monitor for large sequential withdrawals from the same terminal
Deploy application whitelisting to prevent unauthorized software execution
Enable remote ATM health monitoring to detect hardware disconnections

Defense Measures for Banks

ATM Fleet Security Checklist

Inventory all ATMs and document hardware models, OS versions, and firmware levels
Prioritize replacement of end-of-life machines running unsupported operating systems
Segment ATM networks from corporate banking networks
Encrypt communications between ATMs and host processors
Conduct penetration testing of ATM infrastructure at least annually
Establish an incident response plan specific to ATM jackpotting scenarios
Train field technicians to recognize signs of physical tampering
Coordinate with law enforcement — report all suspected incidents to the FBI's IC3

Key Takeaways

ATM jackpotting is no longer a niche threat — 214 incidents across 31 states demonstrates this is a widespread, organized campaign
Regional institutions are primary targets — Smaller banks and credit unions must prioritize ATM fleet security
End-of-life operating systems are the entry point — Machines running Windows XP/7 are effectively open doors
Physical security matters as much as cyber — Many attacks require physical access to the ATM's internals
Report incidents immediately — FBI coordination is critical to disrupting organized jackpotting networks

Sources

FBI Issues ATM Jackpotting Alert

How ATM Jackpotting Works

ATM jackpotting exploits either the hardware or software of cash machines to override normal dispensing controls. Two primary methods dominate the current threat landscape:

Method 1: Malware-Based (Black Box) Attacks

Physical Access — Attacker gains access to the ATM's internal computer, often by drilling or prying open the top hat (upper housing)
Malware Installation — Specialized malware such as Ploutus, Tyupkin, or GreenDispenser is loaded via USB or CD
Remote Trigger — The malware is activated remotely or via a hidden keyboard sequence
Cash Dispensing — The ATM is instructed to empty its cassettes, dispensing all available cash

Method 2: Hardware-Based (Black Box) Attacks

Disconnect Controller — The attacker disconnects the ATM's internal computer from the cash dispenser
Attach External Device — A custom "black box" device is connected directly to the dispenser's communication port
Send Commands — The device sends legitimate dispense commands directly to the hardware
Collect Cash — Cash is dispensed without any transaction record in the ATM's software logs

Scale of the Problem

Metric	2024	2025	Change
Reported Incidents	87	214	+146%
Total Losses	$8.2M	$20.4M	+149%
Average Loss per Incident	$94,250	$95,300	+1%
States Affected	14	31	+121%
ATM Models Targeted	6	12	+100%

Most Affected Regions

The FBI noted that attacks have spread well beyond major metropolitan areas:

Southeast US — Highest concentration of incidents (Florida, Georgia, North Carolina)
Midwest — Rapid increase in attacks on standalone ATMs (Ohio, Michigan, Illinois)
Southwest — Growing activity along border states (Texas, Arizona)
Northeast — Targeted attacks on older ATM fleets (Pennsylvania, New York)

Affected Institutions

Regional banks and credit unions have borne the brunt of the attacks due to several factors:

Older ATM hardware with known vulnerabilities and outdated firmware
Fewer physical security controls (no guards, limited surveillance)
Standalone ATM placements in convenience stores, gas stations, and strip malls
Slower patch cycles compared to major national banks
Limited cybersecurity budgets for ATM fleet management

The FBI specifically noted that ATMs running Windows XP or Windows 7 — both past end-of-life — are disproportionately targeted.

FBI Recommendations

The FBI's PIN includes specific technical and operational recommendations for financial institutions:

Immediate Actions

Update ATM operating systems to supported versions (Windows 10/11 for ATMs)
Apply all available firmware patches from ATM manufacturers
Enable full-disk encryption on ATM hard drives
Disable USB and external media ports or implement strict device whitelisting
Implement BIOS passwords to prevent unauthorized boot modifications

Physical Security

Install tamper-evident seals on ATM cabinets and top hats
Deploy surveillance cameras with clear sightlines to ATM access panels
Use alarm systems that trigger on unauthorized cabinet access
Conduct regular physical inspections of ATM housings for signs of tampering
Relocate standalone ATMs to well-lit, high-traffic areas where feasible

Monitoring and Detection

Implement real-time transaction monitoring that flags unusual dispense patterns
Alert on after-hours dispense activity outside of normal transaction volumes
Monitor for large sequential withdrawals from the same terminal
Deploy application whitelisting to prevent unauthorized software execution
Enable remote ATM health monitoring to detect hardware disconnections

Defense Measures for Banks

ATM Fleet Security Checklist

Inventory all ATMs and document hardware models, OS versions, and firmware levels
Prioritize replacement of end-of-life machines running unsupported operating systems
Segment ATM networks from corporate banking networks
Encrypt communications between ATMs and host processors
Conduct penetration testing of ATM infrastructure at least annually
Establish an incident response plan specific to ATM jackpotting scenarios
Train field technicians to recognize signs of physical tampering
Coordinate with law enforcement — report all suspected incidents to the FBI's IC3

Key Takeaways

ATM jackpotting is no longer a niche threat — 214 incidents across 31 states demonstrates this is a widespread, organized campaign
Regional institutions are primary targets — Smaller banks and credit unions must prioritize ATM fleet security
End-of-life operating systems are the entry point — Machines running Windows XP/7 are effectively open doors
Physical security matters as much as cyber — Many attacks require physical access to the ATM's internals
Report incidents immediately — FBI coordination is critical to disrupting organized jackpotting networks

FBI Warns of ATM Jackpotting Surge as Losses Top $20

FBI Issues ATM Jackpotting Alert

How ATM Jackpotting Works

Method 1: Malware-Based (Black Box) Attacks

Method 2: Hardware-Based (Black Box) Attacks

Scale of the Problem

Most Affected Regions

Affected Institutions

FBI Recommendations

Immediate Actions

Physical Security

Monitoring and Detection

Defense Measures for Banks

ATM Fleet Security Checklist

Key Takeaways

Sources

FBI Links Cybercriminals to Sharp Surge in Cargo Theft Attacks

Hackers Earning Millions from Hijacked Cargo, FBI Says

US & China Partner on Scam Center Takedown in Dubai

FBI Warns of ATM Jackpotting Surge as Losses Top $20

FBI Issues ATM Jackpotting Alert

How ATM Jackpotting Works

Method 1: Malware-Based (Black Box) Attacks

Method 2: Hardware-Based (Black Box) Attacks

Scale of the Problem

Most Affected Regions

Affected Institutions

FBI Recommendations

Immediate Actions

Physical Security

Monitoring and Detection

Defense Measures for Banks

ATM Fleet Security Checklist

Key Takeaways

Sources

FBI Links Cybercriminals to Sharp Surge in Cargo Theft Attacks

Hackers Earning Millions from Hijacked Cargo, FBI Says

US & China Partner on Scam Center Takedown in Dubai