ATM jackpotting crime is surging. The Federal Bureau of Investigations warned banks in a February advisory that of the 1,900 such attacks tracked since 2020, 700 totaling more than $20 million in losses occurred last year.
Data from the ATM Industry Association through November 2025 show that 72% of all reported crime related to ATMs last year was jackpotting/cash-out attacks, with physical attacks on ATMs now representing less than 10% of all attacks. In one recent, high-profile jackpotting case, a federal grand jury returned an indictment charging 93 defendants in an alleged nationwide conspiracy to commit bank and computer fraud and burglary.
While ATM jackpotting is legally considered fraud, banks often distinguish it from other types of fraud that involve exploiting a customer’s personal data or stealing their funds, explained the head of cash & ATM operations at one regional bank. Jackpotting, instead, involves a direct attack on the machines collecting and dispensing money in customer transactions, without using customer data.
Threat actors gain access to an ATM’s internal hard drive using generic physical keys. Then, as the FBI explained, they introduce malware, including the Ploutus family of malware, to attack the software layer instructing the ATM what to physically do. If the would-be criminal can issue their own commands to the eXtensions for Financial Services (XFS) layer, they can order the ATM to dispense cash, without using a valid card, customer account, or bank authorization message.
With this rise in software-related criminal tactics, banks have shifted energy in recent years to technical security and safeguarding the machines themselves, while maintaining physical security of ATMs, or protecting the space and customers around the machines.
“The tricky part about it is not setting up the monitoring. It’s finding the needle in the haystack that’s the bad guy hacking the system,” the ATM operations head said. “That’s why the industry promotes a layered defense.”
Those layers still include physical deterrents such as cameras, alarms, and locks, but banks are stepping up cyber vigilance and basic tech hygiene to improve security. That means updating ATM software regularly and incorporating the latest cybersecurity features from machine makers as they become available. “Don’t be the slowest gazelle,” he said.
In its advisory, the FBI recommends focusing on removable storage usage, controlled file access, and delivery of high-fidelity jackpotting detection— with minimal system overhead—as part of a focused audit policy. It also outlines more than two dozen steps banks can take to harden their ATM protections. Whitelisting devices and networks, configuring automatic shutdown conditions on the machine, and collaborating with industry groups are among them.
That collaboration, the ATM operations head said, has heightened awareness among banks and law enforcement, including at the federal level. Whether the Justice Department prosecutes ATM jackpotting as a federal crime depends, in part, on the circumstances of the crime and the actors, including whether the theft happens on bank property or international criminal organizations are involved.
The recent high-profile indictment named members of a gang designated a Foreign Terrorist Organization among those conducting jackpotting attacks across the U.S. Crimes committed against non-bank ATMs and ATMs off bank premises are handled by local law enforcement.
To redress these enforcement inconsistencies and ensure the safety of independent ATMs, a bipartisan group in Congress re-introduced a bill last year that leveled enforcement standards for all ATMs. The Safe Access to Cash Act would afford non-bank ATMs the same federal protections as bank-owned machines.
Co-sponsor John Rose said, “independent ATMs serve as a lifeline to the underbanked and those lacking access to traditional financial services,” calling the bill common sense for providing independent ATMs “the same federal legal protections under the Bank Robbery Act as other ATMs.”
By: Michael Bender
