The FBI warns of a dramatic increase in ATM malware attacks using Ploutus to bypass security, resulting in $20M+ losses and offering defense strategies for financial institutions.
Financial institutions face escalating threats from ATM "jackpotting" attacks, with the FBI reporting over $20 million stolen in 2025 alone through malware-driven heists. According to a recent FBI flash alert, last year saw more than 700 incidents of criminals forcing ATMs to dispense cash using Ploutus malware—a sharp increase compared to the cumulative 1,900 incidents recorded between 2020 and 2024.
How Ploutus Malware Bypasses Security
Ploutus malware exploits the eXtensions for Financial Services (XFS) layer, which controls an ATM's physical components like cash dispensers. As FBI analysts explain: "When a legitimate transaction occurs, the ATM application sends instructions through XFS for bank authorization. Ploutus allows threat actors to issue direct commands to XFS, bypassing bank authorization entirely." This manipulation enables criminals to trigger withdrawals without bank cards, customer accounts, or transaction approvals.
Attackers typically gain physical access using generic keys, then either:
- Remove the ATM's hard drive to copy malware onto it
- Swap the original drive with a preloaded infected drive
These operations often take minutes and frequently go undetected until cash reserves are depleted.
Defense Strategies for Financial Institutions
The FBI recommends concrete measures to counter these attacks:
- Physical Audits: Regularly inspect ATMs for signs of tampering with removable storage devices
- Gold Image Validation: Compare current ATM drive states against known-good "gold image" backups to detect unauthorized changes
- Process Monitoring: Implement runtime monitoring for unusual processes that might evade network-based detection
"Combining physical audits with gold image validation provides early detection of intrusions that network monitoring alone might miss," the FBI emphasized in its alert.
Law Enforcement Response
This warning follows a major crackdown on the Tren de Aragua (TdA) criminal group, with the U.S. Department of Justice charging 87 members in recent months. Defendants face prison sentences ranging from 20 to 335 years for orchestrating nationwide ATM jackpotting operations using Ploutus.
The surge highlights critical vulnerabilities in ATM physical security. Financial institutions should prioritize layered defenses combining hardware integrity checks, physical access controls, and real-time process monitoring to prevent these increasingly sophisticated attacks.
Comments
Please log in or register to join the discussion