$20 million lost in 'jackpotting' ATM malware attacks in 2025, FBI reports — scheme forces machines to spit out cash, targets banks and ATM operators

The Federal Bureau of Investigation (FBI) has issued a cybersecurity alert warning the public of the increasing malware attacks on ATMs. According to the FBI FLASH document (PDF), threat actors are breaking into these machines using generic keys to open their maintenance cabinets. They remove the storage drive, load malware onto it—or replace it with a compromised one—and then reboot the machine to load the payload.

Ploutus is one malware used in these types of attacks, in which it exploits the eXtensions for Financial Services (XFS) software. ATMs use XFS to communicate with the bank network to authorize every transaction, but Ploutus overrides this and issues its own commands to XFS. This allows attackers to take over the machines and make withdrawals without a card or account, essentially forcing the machine to just dispense money.

This type of attack is called “jackpotting,” and the agency said that out of the 1,900 reported attacks since 2020, 700, or more than a third, happened last year alone. Furthermore, losses from just 2025 are already over $20 million.

The agency said that the attack isn’t tied to a specific bank, financial network, or ATM brand as it targets the Windows operating system commonly used in these machines. So, if there’s a vulnerability in the OS, bad actors can take advantage of this across many cash terminals even before they can be patched. We’ve even seen one busted ATM showing a Windows 7 login page, showing us how old these cash-dispensing appliances can get (Windows 7 was released in 2009 and discontinued in 2020, with paid extended security updates lasting until 2023).

There are several suggestions on what financial institutions can do to mitigate these attacks, including monitoring their machines for unauthorized files and executables, disabling all USB ports, replacing generic locks with keypads, and adding a secondary alarm/security system on top of the already existing one.

But given that there are hundreds of thousands of ATMs deployed within the U.S. alone, we expect these recommendations will take time to be implemented. Thankfully, the general public isn’t directly affected by these attacks, unlike Bitcoin ATM fraud, which reported losses of $333 million to private individuals. However, this still needs to be addressed as soon as possible, as it makes everything more expensive for everyone, as the banks or insurance companies will eventually have to pass on these losses to the everyday consumer.

Follow Tom's Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.