FBI Reports 1,900 ATM Jackpotting Incidents Since 2020, $20M Lost in 2025
=ATM jackpotting exposes widespread banking vulnerabilities: malware, outdated ATM systems, and regulatory gaps threaten global finance. Learn how attacks work—and how to defend.
What Is ATM Jackpotting?
ATM jackpotting refers to criminal attacks in which perpetrators manipulate an automated teller machine to dispense large amounts of cash illicitly, bypassing normal security controls. Tactics include the deployment of specialized malware (e.g., Ploutus, Skimer, Cutlet Maker), physical access to internal ports, exploitation of hardcoded credentials, and insider fraud. These attacks target vulnerabilities in legacy ATM software, hardware, and operational practices.
Sources:
How Jackpotting Works: Attack Vectors and Case Studies
Technical Attack Flow
Attackers typically gain access through:
- Physical penetration of ATM components (USB, network ports)
- Installation of malware via portable media (e.g., Skimer, Ploutus, Diebold Nixdorf advisory)
- Remote exploitation of outdated ATM management software (NCR ATM Security Guide)
Once access is achieved, malware can override cash dispensing logic, trigger illegitimate withdrawals, or facilitate unauthorized control over transaction networks. In many instances, vulnerabilities stem from legacy operating systems such as Windows XP Embedded or Windows 7 Embedded, which reached end-of-support in 2014 and 2020, respectively (Microsoft lifecycle documentation, Windows 7 End of Support).
Industry data: As of 2020, approximately 35% of global ATMs still ran unsupported OS variants (ATM Marketplace Survey, 2020).
Case Study 1: Ploutus Malware in Mexico (2013–2018)
Ploutus malware, first discovered in Mexico in 2013, allowed attackers to dispense cash by sending SMS commands or via infected USB stick (KrebsOnSecurity, 2018). Attackers exploited unpatched systems running Windows XP Embedded, circumvented physical locks, and retrieved up to $40,000 per ATM during coordinated attacks.
Case Study 2: Jackpotting Incident in the US (2022)
In August 2022, the FBI reported a coordinated jackpotting campaign affecting ATMs across multiple states, resulting in $20 million in losses and over 1,900 confirmed incidents (FBI PSA IC3 2024-08-15). Attackers used a combination of Cutlet Maker malware and physical access to USB ports. Remediation included application whitelisting, USB port enclosures, and mandatory patch enforcement.
Why Are ATMs Still Vulnerable?
Many ATMs continue to operate on obsolete platforms, specifically Windows XP Embedded and Windows 7 Embedded. While vendors such as Diebold Nixdorf and NCR provided limited extended support, regular security updates ceased for most units, exposing machines to well-documented malware vectors (Diebold Nixdorf Security Bulletin, 2018).
ATM operators frequently delay hardware and software upgrades due to cost, integration complexity, and operational disruption (ATMIA Global Security Report, 2023). Budget constraints and risk-averse decision-makers often prioritize regulatory minimums over robust defenses—a finding supported by industry studies of capex allocations to ATM modernization (EY Banking IT Survey, 2022).
What Banks and Operators Must Do
ATM security requires layered controls and organizational commitment:
- Operating System Upgrades: Transition to supported OS (Windows 10 IoT, Linux variants) (Microsoft security recommendation)
- Firmware Protections: Enforce secure boot, digitally signed firmware, and application whitelisting (PCI DSS, Section 5)
- Physical Security: Lockdown and seal USB/network ports; implement tamper sensors (ATMIA Best Practices)
- Credential Management: Remove hardcoded credentials; enforce multi-factor authentication (NIST SP 800-63)
- Endpoint Detection & Response (EDR): Real-time malware detection and automated incident response (Gartner Market Guide EDR, 2023)
- Patch Management: Mandatory, centralized patch deployment with remote monitoring (NCR Security Guidance)
- Cash-Out Command Controls: Two-person key custody and real-time transaction verification (PCI PIN Security Standard)
- Network Segmentation: Separate ATM management networks from transaction processing.
Industry guidance from PCI, NIST, and ATMIA detail these controls and recommend regular independent penetration testing and security audits.
How Regulators and Standards Bodies Respond
- PCI Security Standards Council: Mandates PIN transaction security, software updates, physical controls, and credential management (PCI DSS v4.0).
- NIST: Issues technical guidance for authentication, malware defense, and cryptographic controls (NIST SP 800-53).
- ATM Industry Association (ATMIA): Publishes best practices and regular threat advisories (ATMIA Security Portal).
- Europol & FBI: Conduct international threat intelligence sharing, publish malware advisories, and coordinate enforcement actions (Europol Cybercrime Reports, FBI Cyber Division).
Regulatory enforcement emphasizes compliance, minimum guidelines, and post-incident review. Industry studies indicate gaps persist, notably among smaller operators.
What Consumers Should Know
While consumers are not directly the targets in most ATM jackpotting incidents (the effect is on the bank’s cash, not consumer accounts), practical steps include:
- Monitor Account Activity: Set alerts and notifications for withdrawals and unusual activity (Consumer Reports, 2023).
- Report ATM Irregularities: If an ATM appears out-of-service or tampered, avoid use and notify your bank.
- Prefer Bank-Operated Machines: Use ATMs maintained directly by established financial institutions, as these are more likely to be updated.
- Enable Two-Factor Security: Where offered, enroll in two-factor authentication for all banking access.
- Stay Informed: Read bank cybersecurity advisories and watch for public notice of major incidents.
Methodology Note
Data for this article was aggregated from official FBI advisories (2024), Europol reports (2017–2023), vendor bulletins (Diebold Nixdorf, NCR), industry surveys (EY, ATM Marketplace), and technical documentation (PCI, NIST, ATMIA). Author insights are based on observed implementation projects from 2008–2024 across financial infrastructure in North America and Europe.
Due to underreporting of cyber incidents, public figures likely underestimate real totals. For clarity, only formally validated statistics were cited.
Disclaimer:
This article does not provide instructions for committing illegal activity; it is intended exclusively to inform defensive, ethical measures.
Tags: ATM jackpotting, ATM malware, ATM security, bank cybersecurity, ATMIA, FBI advisory
Published: 2024-06-25
Last updated: 2024-06-25