Executive Summary
In early 2024, federal prosecutors in South Carolina uncovered a sophisticated ATM jackpotting scheme perpetrated by two Venezuelan nationals. Employing financial malware, the attackers compromised U.S. bank ATM networks and extracted hundreds of thousands of dollars in cash. The scheme involved the unauthorized installation of malware on ATM machines, which enabled the criminals to override withdrawal limits and rapidly dispense large sums of money. Following their arrest, both individuals were convicted and will be deported after serving their sentences, highlighting significant vulnerabilities in ATM security and network segmentation.
This incident reflects a growing trend in financial crime, where cybercriminals target banking infrastructure using advanced malware and physical access techniques. Regulators and banks are increasingly focused on hardening ATM systems and tightening controls to prevent similar attacks as cyber-enabled fraud remains a persistent and evolving threat.
Why This Matters Now
This ATM jackpotting incident underscores the urgent need for financial institutions to fortify endpoint devices and segment networks to prevent lateral movement by threat actors. As financial malware attacks rise globally, regulatory scrutiny and compliance requirements around ATM and payment system security are expected to increase.
Attack Path Analysis
Attackers initiated their scheme by deploying ATM malware, likely through physical or local network compromise of bank systems. They escalated privileges to interact directly with ATM management software, enabling control over cash dispensing functions. Lateral movement within the bank's infrastructure allowed them to access multiple ATMs, coordinate actions, and conceal their tracks. Command and control was maintained via covert communication channels between the compromised ATMs and attacker-controlled infrastructure. Stolen funds were exfiltrated through fraudulent cash withdrawals and potentially the transmission of transactional data. The impact was direct financial loss and operational disruption for the victim banks.
Kill Chain Progression
Initial Compromise
Description
Malware was deployed onto ATM or banking systems, likely via USB device, phishing, or supply chain/software vulnerabilities.
Related CVEs
CVE-2013-1340
CVSS 7.8An unspecified vulnerability in certain Diebold ATMs allows attackers to install malware that can dispense cash without authorization.
Affected Products:
Diebold ATM – Unspecified
Exploit Status:
exploited in the wildCVE-2010-4371
CVSS 9.8A vulnerability in the Windows XP operating system used by some ATMs allows remote attackers to execute arbitrary code via crafted network packets.
Affected Products:
Microsoft Windows XP – SP3
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Mappings reflect core techniques used in ATM jackpotting and malware attacks; further enrichment available as needed.
Process Injection
User Execution
Exploitation for Privilege Escalation
Indicator Removal on Host
Exfiltration Over Alternative Protocol
Resource Hijacking
Use Alternate Authentication Material
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Strong Access Control Measures
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 11
CISA ZTMM 2.0 – Strong Authentication Across Assets
Control ID: Identity Pillar, Control 1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Banking/Mortgage
Direct target of Venezuelan ATM jackpotting scheme requiring enhanced encrypted traffic protection, zero trust segmentation, and egress security to prevent financial malware attacks.
Financial Services
Critical vulnerability to financial malware attacks necessitating multicloud visibility, threat detection capabilities, and inline IPS protection against similar jackpotting schemes targeting payment systems.
Computer/Network Security
Must address financial malware threats through cloud native security fabric, anomaly detection systems, and kubernetes security to protect financial sector clients from ATM exploitation.
Law Enforcement
Responsible for investigating and prosecuting financial malware crimes, requiring enhanced visibility tools and secure hybrid connectivity to track international cybercriminal deportation cases effectively.
Sources
- US to deport Venezuelans who emptied bank ATMs using malwarehttps://www.bleepingcomputer.com/news/security/us-to-deport-venezuelans-who-emptied-bank-atms-using-malware/Verified
- Venezuelan Nationals Convicted in ATM Jackpotting Scheme to Be Deportedhttps://www.justice.gov/usao-sc/pr/venezuelan-nationals-convicted-atm-jackpotting-scheme-be-deportedVerified
- ATM 'jackpotting' hacks reach the UShttps://www.engadget.com/2018-01-28-atm-jackpotting-hacks-reach-the-us.htmlVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying Zero Trust Segmentation, east-west traffic security, inline IPS, and robust egress policy enforcement would have reduced attacker movement, limited malware deployment, and detected or blocked malicious communication and data exfiltration. CNSF controls offer microsegmentation and real-time egress filtering that can directly prevent or alert on key stages of the attack lifecycle.
Control: Inline IPS (Suricata)
Mitigation: Known exploit delivery and malware payloads could be detected and blocked.
Control: Zero Trust Segmentation
Mitigation: Lateral exploitation paths used for escalation would be constrained.
Control: East-West Traffic Security
Mitigation: Unauthorized lateral traffic is detected and denied between workloads.
Control: Multicloud Visibility & Control
Mitigation: Suspicious or anomalous outbound communications would be observable and could trigger alerts.
Control: Egress Security & Policy Enforcement
Mitigation: Data exfiltration attempts are denied and logged.
Prevents unauthorized network connections that enable destructive actions.
Impact at a Glance
Affected Business Functions
- Cash Dispensing Operations
- ATM Maintenance
Estimated downtime: 3 days
Estimated loss: $285,100
No customer data was compromised; losses were limited to the physical cash stolen from ATMs.
Recommended Actions
Key Takeaways & Next Steps
- • Deploy inline IPS at all ingress points to automatically detect and block known malware and exploit attempts.
- • Enforce Zero Trust Segmentation and east-west security to limit lateral attacker movement across internal systems.
- • Apply strict egress filtering and centralized policy to block unauthorized outbound connections from critical workloads.
- • Implement robust anomaly and threat detection to rapidly identify suspicious activity and enable timely response.
- • Review and harden ATM and critical infrastructure access policies to minimize attack surface and enforce least privilege.
