In 2010, renowned security researcher Barnaby Jack stunned attendees at the Black Hat conference by remotely hacking an ATM onstage and forcing it to eject streams of bank notes in a live demonstration of so-called “jackpotting.”
More than a decade later, what was once a dramatic proof of concept has evolved into a lucrative criminal enterprise.
According to a newly issued security bulletin from the Federal Bureau of Investigation, ATM jackpotting attacks have surged in recent years. In 2025 alone, hackers carried out more than 700 attacks on cash dispensers, stealing at least $20 million.
The FBI says attackers are combining physical intrusion techniques with advanced malware tools.
In many cases, criminals gain direct access to ATM machines using generic keys to open front panels and reach internal components such as hard drives. Once inside, they deploy malicious software capable of overriding normal controls and forcing the machine to rapidly dispense cash.
One malware strain drawing particular concern is known as Ploutus. The FBI warns that Ploutus targets the Windows operating systems that power many ATMs worldwide. Once installed, it grants attackers full control over the machine, allowing them to issue commands that trigger cash payouts without debiting customer accounts.
Unlike traditional bank fraud schemes that compromise user credentials, Ploutus attacks the ATM hardware itself. This enables rapid “cash-out” operations that can be completed in minutes and are often only detected after the money is gone.
Ploutus leverages vulnerabilities in Extensions for Financial Services, or XFS software, a standard interface that allows ATM hardware components to communicate with the operating system. XFS manages interactions between the PIN keypad, card reader, and the cash dispensing unit.
By manipulating this software layer, attackers can effectively trick the ATM into releasing money on command.
Security researchers have previously identified weaknesses in XFS implementations that could allow similar exploitation. The FBI’s latest warning suggests criminal groups are now scaling those techniques with increasing efficiency.
Barnaby Jack’s original demonstration at Black Hat was intended to spotlight security flaws and push manufacturers to strengthen protections. Today, jackpotting has moved far beyond the conference stage.
Related: Major U.S. Banks Assess Damage After Cyberattack on SitusAMC
The FBI’s figures indicate that ATM malware attacks are no longer rare or experimental. Instead, they represent a coordinated and growing threat to financial institutions and ATM operators worldwide.
With millions already stolen in 2025, authorities are urging banks and ATM manufacturers to strengthen both physical security measures and software defenses to prevent further exploitation.
