FBI Warns of ATM Jackpotting Surge as Losses Top $20

FBI Issues ATM Jackpotting Alert

The Federal Bureau of Investigation (FBI) has issued a Private Industry Notification (PIN) warning financial institutions about a significant surge in ATM jackpotting attacks across the United States. Total losses from these incidents exceeded $20 million in 2025, representing a sharp increase over previous years.

Jackpotting — the practice of forcing ATMs to dispense large volumes of cash on demand — has escalated from isolated incidents to a coordinated, nationwide campaign hitting regional banks and credit unions particularly hard.

How ATM Jackpotting Works

ATM jackpotting exploits either the hardware or software of cash machines to override normal dispensing controls. Two primary methods dominate the current threat landscape:

Method 1: Malware-Based (Black Box) Attacks

1. Physical Access — Attacker gains access to the ATM's internal computer, often by drilling or prying open the top hat (upper housing)
2. Malware Installation — Specialized malware such as Ploutus, Tyupkin, or GreenDispenser is loaded via USB or CD
3. Remote Trigger — The malware is activated remotely or via a hidden keyboard sequence
4. Cash Dispensing — The ATM is instructed to empty its cassettes, dispensing all available cash

Method 2: Hardware-Based (Black Box) Attacks

1. Disconnect Controller — The attacker disconnects the ATM's internal computer from the cash dispenser
2. Attach External Device — A custom "black box" device is connected directly to the dispenser's communication port
3. Send Commands — The device sends legitimate dispense commands directly to the hardware
4. Collect Cash — Cash is dispensed without any transaction record in the ATM's software logs

Scale of the Problem

Most Affected Regions

The FBI noted that attacks have spread well beyond major metropolitan areas:

• Southeast US — Highest concentration of incidents (Florida, Georgia, North Carolina)
• Midwest — Rapid increase in attacks on standalone ATMs (Ohio, Michigan, Illinois)
• Southwest — Growing activity along border states (Texas, Arizona)
• Northeast — Targeted attacks on older ATM fleets (Pennsylvania, New York)

Affected Institutions

Regional banks and credit unions have borne the brunt of the attacks due to several factors:

• Older ATM hardware with known vulnerabilities and outdated firmware
• Fewer physical security controls (no guards, limited surveillance)
• Standalone ATM placements in convenience stores, gas stations, and strip malls
• Slower patch cycles compared to major national banks
• Limited cybersecurity budgets for ATM fleet management

The FBI specifically noted that ATMs running Windows XP or Windows 7 — both past end-of-life — are disproportionately targeted.

FBI Recommendations

The FBI's PIN includes specific technical and operational recommendations for financial institutions:

Immediate Actions

• Update ATM operating systems to supported versions (Windows 10/11 for ATMs)
• Apply all available firmware patches from ATM manufacturers
• Enable full-disk encryption on ATM hard drives
• Disable USB and external media ports or implement strict device whitelisting
• Implement BIOS passwords to prevent unauthorized boot modifications

Physical Security

• Install tamper-evident seals on ATM cabinets and top hats
• Deploy surveillance cameras with clear sightlines to ATM access panels
• Use alarm systems that trigger on unauthorized cabinet access
• Conduct regular physical inspections of ATM housings for signs of tampering
• Relocate standalone ATMs to well-lit, high-traffic areas where feasible

Monitoring and Detection

• Implement real-time transaction monitoring that flags unusual dispense patterns
• Alert on after-hours dispense activity outside of normal transaction volumes
• Monitor for large sequential withdrawals from the same terminal
• Deploy application whitelisting to prevent unauthorized software execution
• Enable remote ATM health monitoring to detect hardware disconnections

Defense Measures for Banks

ATM Fleet Security Checklist

1. Inventory all ATMs and document hardware models, OS versions, and firmware levels
2. Prioritize replacement of end-of-life machines running unsupported operating systems
3. Segment ATM networks from corporate banking networks
4. Encrypt communications between ATMs and host processors
5. Conduct penetration testing of ATM infrastructure at least annually
6. Establish an incident response plan specific to ATM jackpotting scenarios
7. Train field technicians to recognize signs of physical tampering
8. Coordinate with law enforcement — report all suspected incidents to the FBI's IC3

Key Takeaways

1. ATM jackpotting is no longer a niche threat — 214 incidents across 31 states demonstrates this is a widespread, organized campaign
2. Regional institutions are primary targets — Smaller banks and credit unions must prioritize ATM fleet security
3. End-of-life operating systems are the entry point — Machines running Windows XP/7 are effectively open doors
4. Physical security matters as much as cyber — Many attacks require physical access to the ATM's internals
5. Report incidents immediately — FBI coordination is critical to disrupting organized jackpotting networks

Sources

• Peterson Technology Partners — ATM Jackpotting Threat Assessment
• SWK Technologies — Financial Cybersecurity Advisory