Financial institutions have invested heavily in hardening applications, encrypting databases, and deploying fraud detection systems to secure digital assets. However, recent data suggests that physical infrastructure, specifically Automated Teller Machines (ATMs)—remains a critical area for risk management.
In 2025, the FBI recorded 700 incidents nationwide where threat actors compromised ATMs to dispense cash illicitly, a technique known as "jackpotting." This marks a significant increase in activity, contributing to a total of approximately 1,900 recorded incidents since 2020. These events resulted in losses exceeding $20 million last year, highlighting the persistent need to secure physical banking endpoints.
Legal and Regulatory Context
In conjunction with recent advisory releases, the US Department of Justice has pursued legal action against groups involved in these campaigns. Since December 2025, authorities have charged 93 individuals related to ATM jackpotting schemes, including members of the Tren de Aragua (TdA) group. Charges have included conspiracy to deploy malware and the theft of millions of dollars from US banks. Convictions for these offenses carry significant penalties, ranging including 20 to 355 years in prison.
Technical Analysis of Jackpotting
Jackpotting involves the manipulation of an ATM's internal electronics or software and force the dispensing of currency without a valid card, PIN, or bank account authorization.
A primary vector for these incidents is the exploitation of the eXtensions for Financial Services (XFS) layer. XFS is a standard interface that allows banking software to communicate with hardware peripherals, such as the cash dispenser. When a legitimate transaction occurs, the core banking system authorizes the XFS layer to release funds.
In a jackpotting scenario, the threat actor introduces malware, most commonly a variant known as Ploutus—that issues commands directly to the XFS interface. By interacting with the hardware at this level, the malware bypasses the bank's central authorization processes entirely. This allows for rapid "cash-out" operations that may go undetected until reconciliation processes identify the shortage.
Physical Compromise Methods
To introduce the malware, threat actors typically require physical interaction with the machine. Methods observed in 2025 include:
Hard Drive Manipulation: Removing the ATM’s hard drive to infect it with malware externally, or swapping the drive entirely for a pre-configured, compromised unit.
Internal Access: Using generic keys or prying open panels to access internal ports (USB or similar).
Pairing Manipulation: In some hardware configurations, threat actors use industrial endoscopes to depress internal pairing buttons inside the safe, facilitating the connection of unauthorized hardware.
Vulnerability Factors
Industry experts suggest that environmental factors contribute to the feasibility of these operations. Louis Eichenbaum, federal CTO at ColorTokens, notes that many ATM environments rely on legacy operating systems that are difficult to patch and lack modern endpoint protection.
"If a threat actor gains physical access or compromises remote management services, they can install widely available malware and directly command the cash dispenser," Eichenbaum explains.
Mayuresh Dani, security research manager at Qualys, identifies the availability of security paraphernalia as a contributing factor. The circulation of generic ATM keys and open-source projects that reverse-engineer XFS protocols lowers the barrier to entry. Standalone ATMs in unattended locations, such as retail centers, face elevated risk due to easier physical access.
Remediation and Hardening Strategies
Securing ATMs requires a convergence of physical security and digital hardening. Operators and security teams should evaluate the following mitigations to protect these assets.
Physical Security
Access Control: Replace default locks and keys to prevent the use of generic tools.
Monitoring: Install alarms and tamper-detection sensors that trigger upon the opening of service panels or attempts to access internal hardware.
Environment: Ensure ATMs are placed in well-lit, monitored areas to deter prolonged physical access attempts.
System Hardening
Boot Security: Enforce Trusted Platform Module (TPM)-backed secure boot and firmware integrity checks. This prevents the machine including booting if the hard drive has been swapped or tampered with.
Allowlisting: Implement strict application allowlisting so that only approved binaries can execute.
Port Management: Disable unused physical ports and enable BIOS-level protections to restrict boot devices.
Network and Remote Access
Authentication: Secure remote management interfaces with multifactor authentication (MFA) and eliminate shared administrative credentials.
Segmentation: Use IP allowlisting to ensure ATMs can only communicate with authorized host systems.
Diebold Nixdorf and other major manufacturers continue and release guidance and security updates. Maintaining current software versions and fostering cooperation between physical security teams and cybersecurity personnel remains essential for reducing the risk of jackpotting.