ATM Jackpotting Attacks Surge in 2025, Resulting in Over $20 Million in Losses
Executive Summary
In 2025, the United States experienced a significant surge in ATM "jackpotting" attacks, with over 700 incidents reported, resulting in losses exceeding $20 million. (thehackernews.com) These attacks involve criminals gaining physical access to ATMs, often using generic keys to open the machines. Once inside, they install or replace hard drives with malware, such as the Ploutus family, which exploits the eXtensions for Financial Services (XFS) API to dispense cash without bank authorization. (livemint.com)
This alarming trend underscores the evolving tactics of cybercriminals targeting financial institutions. The FBI has issued warnings and recommended mitigation strategies, including enhancing physical security measures, regularly updating ATM software, and monitoring for unauthorized access, to combat this growing threat. (thehackernews.com)
Why This Matters Now
The sharp increase in ATM jackpotting attacks in 2025 highlights the urgent need for financial institutions to bolster their security protocols. With over $20 million lost and 700 incidents reported last year alone, it's imperative to address both physical and software vulnerabilities in ATMs to prevent further financial losses and maintain public trust. (thehackernews.com)
Attack Path Analysis
Attackers gained physical access to ATMs using generic keys, installed malware like Ploutus by replacing or infecting hard drives, escalated privileges to control ATM functions, established command and control to issue unauthorized cash dispense commands, exfiltrated cash directly from the machines, and caused financial losses exceeding $20 million in 2025.
Kill Chain Progression
Initial Compromise
Description
Attackers used widely available generic keys to unlock ATM maintenance compartments, gaining physical access to the machines.
Related CVEs
CVE-2013-1340
CVSS 8.4The eXtensions for Financial Services (XFS) API in Microsoft Windows XP SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, and Windows Server 2012 allows local users to gain privileges via a crafted application that leverages improper XFS object handling, aka 'Windows ATM XFS Privilege Escalation Vulnerability.'
Affected Products:
Microsoft Windows XP – SP3
Microsoft Windows Server 2003 – SP2
Microsoft Windows Vista – SP2
Microsoft Windows Server 2008 – SP2, R2 SP1
Microsoft Windows 7 – SP1
Microsoft Windows 8 –
Microsoft Windows Server 2012 –
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Techniques identified for SEO/filtering; may be expanded with full STIX/TAXII enrichment later.
Exploit Public-Facing Application
User Execution: Malicious File
Boot or Logon Autostart Execution
Indicator Removal on Host
Data Manipulation
Data Destruction
Automated Exfiltration
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Multi-Factor Authentication for All Access to Cardholder Data Environment
Control ID: 8.4.2
PCI DSS 4.0 – Periodic Point of Interaction (POI) Device Inspections
Control ID: 9.5.1.2.1
PCI DSS 4.0 – Automated Log Reviews
Control ID: 10.4.1.1
PCI DSS 4.0 – Wireless Access Restrictions
Control ID: 11.2
PCI DSS 4.0 – Security Awareness and Training
Control ID: 12.6
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Banking/Mortgage
Direct target of ATM jackpotting attacks causing $20M+ losses, requiring enhanced physical security, encrypted traffic protection, and egress filtering capabilities.
Financial Services
High-risk sector for physical security attacks on financial infrastructure, needing zero trust segmentation and threat detection for payment systems protection.
Security/Investigations
Critical provider of physical security solutions and incident response services for ATM networks, requiring advanced anomaly detection and multicloud visibility capabilities.
Computer/Network Security
Essential for developing countermeasures against jackpotting attacks, implementing encrypted traffic solutions, intrusion prevention systems, and cloud-native security fabric technologies.
Sources
- Spitting Cash: ATM Jackpotting Attacks Surged in 2025https://www.darkreading.com/cyber-risk/atm-jackpotting-attacks-surged-2025Verified
- FBI warns ATM 'jackpotting' attacks are on the rise, and netting hackers millions in stolen cashhttps://techcrunch.com/2026/02/19/fbi-says-atm-jackpotting-attacks-are-on-the-rise-and-netting-hackers-millions-in-stolen-cash/Verified
- FBI Reports 1,900 ATM Jackpotting Incidents Since 2020, $20M Lost in 2025https://thehackernews.com/2026/02/fbi-reports-1900-atm-jackpotting.htmlVerified
- Secret Service Warns of Sophisticated ATM Jackpotting Attackhttps://www.secretservice.gov/newsroom/releases/2018/01/secret-service-warns-sophisticated-atm-jackpotting-attackVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust Cloud Native Security Fabric (CNSF) is pertinent to this incident as it could have constrained the attackers' ability to move laterally and exfiltrate data by enforcing strict segmentation and identity-aware policies. This would likely have reduced the blast radius of the attack, limiting the financial impact.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While physical access was obtained, CNSF could have limited the attackers' ability to exploit this access by enforcing strict network segmentation and identity-aware policies.
Control: Zero Trust Segmentation
Mitigation: Zero Trust Segmentation could have limited the malware's ability to escalate privileges by enforcing strict access controls and isolating critical functions.
Control: East-West Traffic Security
Mitigation: East-West Traffic Security could have limited lateral movement by monitoring and controlling internal traffic between ATMs, reducing the attacker's ability to propagate.
Control: Multicloud Visibility & Control
Mitigation: Multicloud Visibility & Control could have limited the establishment of command and control channels by detecting and blocking unauthorized remote commands.
Control: Egress Security & Policy Enforcement
Mitigation: Egress Security & Policy Enforcement could have limited unauthorized exfiltration by monitoring and controlling outbound transactions, potentially detecting and blocking illicit cash withdrawals.
By implementing CNSF controls, the overall impact of the attack could have been limited, reducing financial losses and operational disruptions.
Impact at a Glance
Affected Business Functions
- ATM Operations
- Cash Management
Estimated downtime: 3 days
Estimated loss: $20,000,000
n/a
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict unauthorized access to ATM systems.
- • Enhance physical security measures to prevent unauthorized access to ATM maintenance compartments.
- • Deploy Threat Detection & Anomaly Response systems to monitor for unusual ATM behaviors.
- • Regularly update and patch ATM software to mitigate known vulnerabilities.
- • Conduct comprehensive security audits to identify and address potential weaknesses in ATM infrastructure.
