Executive Summary
In 2025, the FBI reported a significant surge in ATM jackpotting incidents across the United States, with over 700 attacks resulting in more than $20 million in losses. These attacks involve cybercriminals exploiting physical and software vulnerabilities in ATMs, often deploying malware like Ploutus to force machines to dispense cash without legitimate transactions. Criminals typically gain access by using generic keys to open ATM fronts and then install malware to control the machines remotely.
This alarming trend underscores the evolving tactics of cybercriminals and highlights the urgent need for financial institutions to bolster their ATM security measures. The rise in such sophisticated attacks calls for enhanced vigilance and the implementation of robust security protocols to protect against these threats.
Why This Matters Now
The surge in ATM jackpotting attacks in 2025, resulting in over $20 million in losses, highlights the urgent need for financial institutions to strengthen ATM security measures to combat evolving cybercriminal tactics.
Attack Path Analysis
Cybercriminals gained physical access to ATMs using generic keys, installed malware like Ploutus to escalate privileges, and manipulated ATM software to dispense cash. They coordinated cash-out operations, exfiltrated stolen funds, and caused financial losses exceeding $20 million in 2025.
Kill Chain Progression
Initial Compromise
Description
Attackers gained physical access to ATMs using widely available generic keys to open the machine's front panel.
Related CVEs
CVE-2013-1340
CVSS 8.4Ploutus malware exploits vulnerabilities in ATM software, allowing unauthorized cash dispensing.
Affected Products:
Multiple ATM Software – Various
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploitation for Client Execution
Application Layer Protocol: Web Protocols
Command and Scripting Interpreter: PowerShell
Adversary-in-the-Middle
Multi-Factor Authentication Interception
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Change Vendor Supplied Default Credential & Security Configurations
Control ID: 2.2.1
PCI DSS 4.0 – Storage of Account Data is Kept to a Minimum
Control ID: 3.2
PCI DSS 4.0 – Access Control Policies and Procedures
Control ID: 7.2
PCI DSS 4.0 – Account Management
Control ID: 8.2
PCI DSS 4.0 – Wireless Access Restrictions
Control ID: 11.2
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Banking/Mortgage
Primary target of ATM jackpotting physical attacks with $20M losses in 2025, requiring enhanced physical security and network segmentation for financial infrastructure protection.
Financial Services
Exposed to ATM jackpotting threats affecting payment processing systems, demanding encrypted traffic monitoring and egress security controls to prevent unauthorized cash dispensing attacks.
Computer/Network Security
Critical need to develop countermeasures against physical ATM attacks using zero trust segmentation and anomaly detection to protect financial institution clients from jackpotting incidents.
Law Enforcement
FBI-reported surge in ATM jackpotting requires enhanced threat detection capabilities and multicloud visibility to investigate and prevent physical attack vectors targeting financial infrastructure.
Sources
- FBI Reports 1,900 ATM Jackpotting Incidents Since 2020, $20M Lost in 2025https://thehackernews.com/2026/02/fbi-reports-1900-atm-jackpotting.htmlVerified
- Six More Defendants Charged in International 'ATM Jackpotting' Schemehttps://www.justice.gov/opa/pr/six-more-defendants-charged-international-atm-jackpotting-schemeVerified
- FBI warns ATM 'Jackpotting' attacks surge, minting hackers millions in cashhttps://www.geo.tv/latest/651959-fbi-warns-atm-jackpotting-attacks-surge-minting-hackers-millions-in-cashVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attackers' ability to escalate privileges, move laterally, and exfiltrate data, thereby reducing the overall impact of the breach.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While physical access was obtained, CNSF could have limited the attacker's ability to exploit software vulnerabilities by enforcing strict network segmentation and access controls.
Control: Zero Trust Segmentation
Mitigation: Zero Trust Segmentation could have constrained the malware's ability to escalate privileges by enforcing strict access controls and limiting communication pathways.
Control: East-West Traffic Security
Mitigation: East-West Traffic Security could have limited the attackers' ability to move laterally by monitoring and controlling internal network traffic.
Control: Multicloud Visibility & Control
Mitigation: Multicloud Visibility & Control could have constrained the establishment of command and control channels by providing real-time monitoring and control over network traffic.
Control: Egress Security & Policy Enforcement
Mitigation: Egress Security & Policy Enforcement could have limited data exfiltration by controlling outbound network traffic and enforcing strict egress policies.
While financial losses occurred, the implementation of CNSF controls could have reduced the overall impact by limiting the attackers' ability to escalate privileges, move laterally, and exfiltrate data.
Impact at a Glance
Affected Business Functions
- ATM Operations
- Cash Management
- Customer Service
Estimated downtime: 3 days
Estimated loss: $20,000,000
n/a
Recommended Actions
Key Takeaways & Next Steps
- • Implement robust physical security measures, including changing default locks and installing surveillance systems.
- • Deploy intrusion detection systems to monitor for unauthorized access and anomalous activities.
- • Regularly audit and update ATM software to patch vulnerabilities and prevent exploitation.
- • Enforce strict access controls and authentication mechanisms to limit unauthorized access.
- • Educate staff on recognizing and responding to potential security threats to enhance overall security posture.
