Executive Summary
In late 2025 and early 2026, US law enforcement charged 31 additional suspects in a major campaign of ATM jackpotting attacks attributed to the Venezuelan criminal gang Tren de Aragua. The attackers breached numerous ATMs across the United States, installing Ploutus malware by physically accessing internal components and deploying malware to force the machines to dispense large quantities of cash. The sophisticated attacks leveraged swapped hard drives or infected USB devices and allowed the perpetrators to launder stolen funds internationally, inflicting millions of dollars in losses on banks and credit unions. To date, over 87 individuals have been charged in this transnational criminal scheme.
This incident highlights the evolving tactics of financially motivated threat groups combining physical access and technical expertise. The designation of Tren de Aragua as a Foreign Terrorist Organization underscores law enforcement’s recognition of cyber-enabled financial crime as a national security threat and signals intensified global scrutiny on such operations.
Why This Matters Now
This breach demonstrates how criminal groups are scaling coordinated cyber-physical attacks to exploit financial infrastructure vulnerabilities. With law enforcement prioritizing countermeasures, financial institutions must adapt their defenses amid rising advanced ATM malware campaigns and heightened global compliance risk.
Attack Path Analysis
Attackers gained initial access to ATMs by physically opening the devices and installing malicious hardware or USBs, leading to the deployment of Ploutus malware. They escalated privileges by replacing or manipulating the ATM operating system to gain administrative control. Lateral movement was likely limited but may have involved navigating networked ATM backends or communicating with additional ATMs. Command and Control was maintained as malware operators communicated with infected ATMs to issue dispensing commands. Exfiltration focused on physical cash withdrawals, with some digital transfer and laundering of stolen funds. The impact involved the emptying of ATM machines, theft of millions, and disruption of banking services.
Kill Chain Progression
Initial Compromise
Description
Attackers physically accessed ATMs, opening device housings and installing malware via infected hard drives or USBs.
Related CVEs
CVE-2013-1340
CVSS 9.8An unspecified vulnerability in the Kalignite ATM software allows remote attackers to execute arbitrary code via unknown vectors.
Affected Products:
KAL Kalignite – < 3.0.0
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Mapping covers observed ATM malware and jackpotting TTPs; suitable for SEO and filtering, with fuller enrichment (STIX/TAXII, etc.) possible in downstream processing.
User Execution
Exploitation for Privilege Escalation
Valid Accounts
Container Administration Command
Masquerading
File Deletion
Software Packing
Endpoint Denial of Service
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Implement Automated Audit Trails for All System Components
Control ID: Requirement 10.2.1
PCI DSS 4.0 – Install Security Patches for all System Components
Control ID: Requirement 6.2.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: Section 500.03
CISA Zero Trust Maturity Model 2.0 – Continuous Monitoring and Risk Assessment
Control ID: 2.3.2
DORA (Digital Operational Resilience Act) – ICT Risk Management
Control ID: Article 9
NIS2 Directive – Cybersecurity Risk Management and Reporting Obligations
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Banking/Mortgage
Primary target of Ploutus ATM malware attacks requiring enhanced egress security, zero trust segmentation, and threat detection capabilities to prevent financial infrastructure compromise.
Financial Services
Critical exposure to sophisticated ATM jackpotting schemes necessitating multicloud visibility, encrypted traffic controls, and anomaly response systems for comprehensive financial system protection.
Computer/Network Security
Essential for deploying inline IPS, cloud native security fabric, and kubernetes security solutions to combat transnational criminal organization malware deployment tactics.
Law Enforcement
Requires advanced threat intelligence and investigation capabilities to counter Tren de Aragua's transnational ATM malware operations spanning multiple jurisdictions and terrorist financing.
Sources
- US charges 31 more suspects linked to ATM malware attackshttps://www.bleepingcomputer.com/news/security/us-charges-31-more-suspects-linked-to-atm-malware-attacks/Verified
- Tren de Aragua Members and Leaders Indicted in Multi-Million Dollar ATM Jackpotting Schemehttps://www.justice.gov/usao-ne/pr/tren-de-aragua-members-and-leaders-indicted-multi-million-dollar-atm-jackpotting-schemeVerified
- ATM Jackpotting Attack: Tren de Aragua Gang Exploits Ploutus Malware on Legacy Windows XP ATMs in US, Leading to Multi-State Indictments and Deportationshttps://www.rescana.com/post/atm-jackpotting-attack-tren-de-aragua-gang-exploits-ploutus-malware-on-legacy-windows-xp-atms-in-usVerified
- Kaspersky finds ATM/PoS malware on the rise since the height of COVID-19https://usa.kaspersky.com/about/press-releases/kaspersky-finds-atmpos-malware-on-the-rise-since-the-height-of-covid-19Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust network segmentation, microsegmentation, egress policy enforcement, and visibility controls could have detected anomalous access, limited malware spread, and prevented unauthorized communication or data movement, thus constraining attack reach and financial loss even if an initial compromise occurred. East-west traffic security and strict policy enforcement would have disrupted lateral movement, command channels, and exfiltration attempts.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Early detection and reduced attack surface would discourage or reveal attempts at initial compromise.
Control: Zero Trust Segmentation
Mitigation: Prevents unauthorized privilege escalation by restricting networked access only to validated identities and workloads.
Control: East-West Traffic Security
Mitigation: Blocks or detects suspicious lateral movement, containing breaches to initial device(s).
Control: Multicloud Visibility & Control
Mitigation: Detects and alerts on anomalous traffic patterns indicative of remote C2 activity.
Control: Egress Security & Policy Enforcement
Mitigation: Prevents or blocks unauthorized outbound transfers and exfiltration attempts.
Detection and blocking of known malicious payloads and attempts to disrupt or wipe systems.
Impact at a Glance
Affected Business Functions
- Cash Dispensing Operations
Estimated downtime: 3 days
Estimated loss: $5,400,000
No evidence indicates that customer data or individual accounts were compromised; all stolen funds were taken directly from the banks’ ATM reserves.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust segmentation and microsegmentation policies to limit device-to-device communication and privilege escalation within ATM and banking networks.
- • Enforce strict east-west traffic visibility and anomaly detection to rapidly identify lateral movement or unauthorized command channels between ATMs or backend infrastructure.
- • Deploy comprehensive egress security and policy controls, blocking unauthorized outbound connections and monitoring for data exfiltration patterns.
- • Integrate inline IPS and real-time workload inspection at the network edge to detect and prevent known malware payloads and suspicious device behavior.
- • Continuously monitor and audit all ATM and banking device states with centralized control, leveraging automated incident response workflows to rapidly contain suspicious or compromised endpoints.
