US DOJ Indicts 54 for Ploutus Malware ATM Jackpotting: Tren de Aragua’s US Crime Wave, 2025
Executive Summary
In December 2025, the U.S. Department of Justice charged 54 individuals associated with the Tren de Aragua criminal gang in a far-reaching ATM jackpotting operation across the United States. By deploying Ploutus malware onto automated teller machines, the group manipulated hardware to force cash withdrawals—ultimately stealing millions of dollars. The multi-state scheme involved coordinated physical access to ATMs, installation of malicious software, and cash-out teams, highlighting significant vulnerabilities in banking infrastructure and ATM security controls.
This incident underscores an escalating wave of financially motivated attacks leveraging sophisticated malware and organized criminal networks. With jackpotting attacks resurging globally and law enforcement intensifying their response, organizations must prioritize layered defenses, real-time anomaly detection, and compliance with evolving regulatory requirements.
Why This Matters Now
ATM jackpotting using advanced malware is surging, driven by organized criminal syndicates and evolving attacker tactics targeting critical financial infrastructure. As law enforcement cracks down, attackers are diversifying targets and tools, making robust network segmentation, continuous monitoring, and compliance alignment urgent priorities for financial institutions and their partners.
Attack Path Analysis
Attackers initially compromised ATMs by introducing Ploutus malware via physical access or exploitation of network-connected management systems. Upon gaining a foothold, they escalated privileges to fully control the ATM operating system. Lateral movement enabled the attackers to propagate malware to additional ATMs within the network. Attackers maintained command and control over infected ATMs, remotely issuing jackpotting instructions. Malicious operations involved exfiltration of sensitive ATM transaction data and facilitating unauthorized cash dispensing. Ultimately, the campaign resulted in severe financial theft and operational disruption.
Kill Chain Progression
Initial Compromise
Description
Attackers gained access to ATMs by exploiting unencrypted network paths or vulnerabilities in remote management services to deliver Ploutus malware.
Related CVEs
CVE-2013-1340
CVSS 7.8An unspecified vulnerability in NCR SelfServ ATMs running APTRA XFS allows physical attackers to execute arbitrary code via an unknown vector.
Affected Products:
NCR SelfServ ATMs – APTRA XFS
Exploit Status:
exploited in the wildCVE-2014-0980
CVSS 7.8An unspecified vulnerability in Diebold ATMs running Agilis software allows physical attackers to execute arbitrary code via an unknown vector.
Affected Products:
Diebold ATMs – Agilis
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
User Execution
System Services: Service Execution
Process Injection
Valid Accounts
Remote Services: SMB/Windows Admin Shares
Inhibit System Recovery
Windows Management Instrumentation
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – User Identification and Authentication
Control ID: 8.2.1
PCI DSS 4.0 – Audit Log Generation and Review
Control ID: 10.2.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
NIS2 Directive – Incident Handling and Reporting
Control ID: Art. 21(2)(d)
CISA ZTMM 2.0 – Least Privilege and Strong Authentication
Control ID: Identity Pillar, Access Management
DORA – ICT Risk Management Framework
Control ID: Art. 9(2)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Banking/Mortgage
Direct ATM jackpotting attacks using Ploutus malware targeting financial infrastructure require enhanced egress security, threat detection capabilities, and zero trust segmentation controls.
Financial Services
Multi-million dollar ATM compromise scheme exposes critical vulnerabilities in payment processing systems, demanding improved anomaly detection and encrypted traffic protection measures.
Law Enforcement
DOJ indictment of 54 individuals in Tren de Aragua ATM jackpotting conspiracy requires enhanced threat intelligence sharing and multicloud visibility for investigation coordination.
Information Technology/IT
Ploutus malware deployment on ATM systems highlights need for comprehensive security fabric solutions, inline IPS protection, and kubernetes security for payment infrastructure.
Sources
- U.S. DOJ Charges 54 in ATM Jackpotting Scheme Using Ploutus Malwarehttps://thehackernews.com/2025/12/us-doj-charges-54-in-atm-jackpotting.htmlVerified
- Tren De Aragua Members and Leaders Indicted in Multi-Million Dollar ATM Jackpotting Schemehttps://www.justice.gov/usao-ne/pr/tren-de-aragua-members-and-leaders-indicted-multi-million-dollar-atm-jackpotting-schemeVerified
- Kaspersky finds ATM/PoS malware on the rise since the height of COVID-19https://usa.kaspersky.com/about/press-releases/kaspersky-finds-atmpos-malware-on-the-rise-since-the-height-of-covid-19Verified
- ATM jackpotting gang accused of unleashing Ploutus malware across UShttps://www.theregister.com/2025/12/19/tren_de_aragua_atm/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying CNSF controls such as zero trust segmentation, encrypted traffic enforcement, lateral movement prevention, and egress policy enforcement would have blocked key attack paths, contained malware spread, and detected command-and-control operations. Strong segmentation, encrypted data-in-transit, and granular visibility together minimize attack surface and limit potential impact.
Control: Encrypted Traffic (HPE)
Mitigation: Unauthorized access and malware injection attempts would have been blocked or rendered ineffective.
Control: Zero Trust Segmentation
Mitigation: Privilege escalation would trigger policy-based restrictions, limiting access to only pre-authorized users or services.
Control: East-West Traffic Security
Mitigation: Unauthorized lateral movement would be blocked and flagged for investigation.
Control: Inline IPS (Suricata)
Mitigation: C2 communications would be detected and terminated in real time.
Control: Egress Security & Policy Enforcement
Mitigation: Suspicious outbound traffic is blocked or inspected, stopping sensitive data exfiltration.
Abnormal ATM behavior would be rapidly detected and contained.
Impact at a Glance
Affected Business Functions
- Cash Dispensing
- ATM Operations
Estimated downtime: 7 days
Estimated loss: $5,400,000
No customer data exposure reported; attacks focused on unauthorized cash withdrawals.
Recommended Actions
Key Takeaways & Next Steps
- • Implement encrypted network paths (MACsec/IPsec) to secure all ATM and management system communications.
- • Deploy zero trust segmentation to strictly control and isolate ATM, management, and backend infrastructure access.
- • Enforce east-west traffic controls and microsegmentation to block unauthorized lateral movement between devices.
- • Configure rigorous egress policies and inline IPS for rapid detection and prevention of command-and-control or data exfiltration attempts.
- • Enhance continuous anomaly detection and real-time response capabilities to quickly identify malicious ATM behaviors and stop fraud in progress.
