FBI signals renewed wave of ATM jackpotting; 700+ incidents and $20M losses in 2025
FBI alert: ATM malware crisis explained
The federal agency released a brief warning after security teams documented a steep uptick in machines being forced to dispense cash illicitly. Investigators counted roughly 700+ incidents in 2025 and about 1,900 total since 2020, marking a multi-year campaign that has regained momentum.
Operators report that attackers gain physical access to terminals, install malicious code and then instruct the hardware to release bills outside normal transaction flows. The most-cited toolkit linked to these break-ins is a long-lived family called Ploutus, which has resurfaced after a quieter period and is notable for cross-vendor effectiveness.
The FBI emphasized that intrusions typically exploit the ATM’s underlying operating system, enabling relatively small changes to malware samples to work on machines from different manufacturers. Because of this, a single campaign can hit a wide range of hardware with limited reengineering requirements.
Two practical problems make these events costly: the cash-out process can complete in minutes, and forensic traces are often removed automatically by the malware. To help defenders, the alert bundled technical indicators and recommended mitigations aimed at banks, vendors and service technicians.
- Financial impact: documented losses from the prior year exceeded $20 million.
- Operational scope: attacks span many states and hardware models, increasing detection complexity.
- Law enforcement follow-up: prosecutors have pursued multiple suspects tied to these schemes, including cross-border actors.
As immediate steps, institutions are advised to harden physical controls, verify software integrity on cash-dispensing modules, and run the IoCs provided to spot compromise early. The bulletin also highlights the need for coordinated intel sharing between banks and federal teams to reduce repetitive losses.
Taken together, the warning frames jackpotting not as an isolated nuisance but as a scalable criminal business model that mixes low-friction code reuse with hands-on access to equipment. Expect the FBI notice to accelerate both private defenses and further prosecutorial actions.
Read Our Expert Analysis
Create an account or login for free to unlock our expert analysis and key takeaways for this development.
By continuing, you agree to receive marketing communications and our weekly newsletter. You can opt-out at any time.
Recommended for you
Global crypto thefts jump to $370.3M in January as phishing and large scam dominate losses
January’s crypto losses reached about $370.3M, driven mainly by phishing and one outsized social‑engineering theft; contemporaneous reports — including a 149M‑credential infostealer cache and a TRM Labs review of 2025 flows — help explain why credential theft and sophisticated laundering continue to magnify single‑incident impact and frustrate trace-and-freeze responses.
US and Global Outlook: AI Is Rewiring Malware Economics and Attack Paths for 2026
Advances in agentic and generative AI are accelerating attackers’ ability to discover vulnerabilities, craft tailored exploits, and scale precise intrusions, while high‑fidelity synthetic media amplifies social‑engineering at industrial scale. Organizations that rely solely on basic hygiene will be outpaced; defenders must combine rigorous fundamentals with identity‑first controls, behavioral detection, and governed AI playbooks to blunt this shift.
Illicit crypto proceeds jump to $158 billion in 2025 as bad actors professionalize, TRM report shows
TRM Labs finds criminal actors moved about $158 billion in digital assets in 2025 even as illicit activity fell to roughly 1.2% of total volume; the report warns the rise stems from more organized laundering ecosystems that exploit stablecoins, bespoke wallet clusters and peer-mediated on‑ramps. Language‑specific networks, broker and mule infrastructures, and resilient messaging‑app marketplaces are enabling faster, harder‑to‑freeze flows that demand coordinated FIU, exchange and platform responses.
