Cybercriminals stole over $20 million in 2025 using ATM jackpotting attacks that exploit physical and software vulnerabilities to force cash dispensations, with the FBI reporting a sharp increase in these cyber-physical threats.
Cybercriminals stole more than $20 million from compromised ATMs in 2025 using sophisticated malware attacks known as "jackpotting," according to a recent FBI security alert. These attacks combine physical access with software exploitation to bypass banking security protocols and force ATMs to dispense cash on demand.
How Jackpotting Attacks Work
- Physical Compromise: Criminals use generic keys to open ATM exteriors
- Malware Installation: Attackers either:
- Remove the ATM's hard drive to copy malware onto it
- Replace the hard drive with one preloaded with jackpotting malware
- Exploiting Banking Protocols: Malware like Ploutus targets the eXtensions for Financial Services (XFS) API—an open standard that enables banking software to communicate with hardware across vendors
- Unauthorized Dispensing: The malware bypasses transaction authorization systems, allowing criminals to remotely trigger cash dispensing
Rising Threat Landscape
The FBI documented over 1,900 incidents since 2020, with more than 700 occurring in 2025 alone—a significant year-over-year increase. Unlike card-skimming attacks that directly impact consumers, jackpotting targets financial institutions by:
- Bypassing customer account linkages
- Creating territories of undetectable cash withdrawals
- Causing multi-million dollar losses before detection
Detection Challenges
These attacks leave minimal forensic trails. Key indicators include:
- Digital evidence: Specific executables (e.g., update.exe, xfs_ci.dll) and scripts
- Physical signs: Unauthorized USB devices, removed hard drives, or "no cash" errors during attacks
Critical Next Steps
The FBI urges financial institutions to:
- Audit physical ATM security mechanisms
- Monitor XFS API interactions for abnormal commands
- Immediately report suspicious activity to local FBI field offices or the Internet Crime Complaint Center
While jackpotting doesn't compromise consumer data like skimming attacks, its financial impact on banks threatens the stability of cash infrastructure. The FBI's alert underscores the urgent need for enhanced physical-digital security integration in banking systems.
Comments
Please log in or register to join the discussion