The FBI has issued an emergency FLASH alert, warning U.S. banks and ATM operators of a significant surge in “jackpotting” attacks. This sophisticated malware operation, exemplified by the Ploutus family, allows criminals to drain ATMs of cash without requiring a physical card or an active bank account, bypassing traditional transaction security measures. This threat is escalating, impacting financial institutions nationwide.
The FLASH alert, dated February 19, 2026, highlights that the Ploutus malware targets the underlying software that controls ATM hardware. By exploiting vulnerabilities in the eXtensions for Financial Services (XFS) layer, attackers can issue commands to the cash dispenser, effectively tricking the machine into releasing funds. This bypasses the need for bank approval, enabling rapid cash theft.
Ploutus Malware Exploits ATM Vulnerabilities
The FBI’s analysis reveals a disturbing trend in jackpotting incidents. Since 2020, approximately 1,900 such attacks have been recorded, with over 700 occurring in 2025 alone, resulting in an estimated loss of more than $20 million. Unlike typical card fraud that compromises customer data, Ploutus directly compromises the ATM itself. This allows criminals to dispense cash within minutes, often going unnoticed until the machine is depleted of funds.
Gaining physical access to ATMs is a common initial step for attackers. They may achieve this using widely available generic keys to open the ATM fascia. Once inside, a variety of methods can be employed to infect the machine with Ploutus. One approach involves removing the hard drive, installing the malware on another computer, and then re-installing the compromised drive. Alternatively, attackers might swap in an external device pre-loaded with the malicious payload, sometimes using a connected USB hub or keyboard.
The prevalence of Windows operating systems on many ATMs simplifies the deployment of this malware across different manufacturers, requiring only minor code adjustments. A critical aspect of the Ploutus infection mechanism is its ability to communicate directly with hardware through XFS. This direct control means the malware can operate even when the ATM is offline, rendering network-based security alerts ineffective.
Identifying and Mitigating Ploutus Threats
To detect the presence of Ploutus and similar malware, security professionals are advised to look for unusual executables on ATM systems. Common indicators include unexpected files named like Newage.exe, NCRApp.exe, WinMonitor.exe, or sdelete.exe. The presence of new folders within paths such as C:UsersSSAuto1AppDataLocalP, alongside unauthorized remote access tools like AnyDesk or TeamViewer, also warrants investigation. Additionally, examining registry autoruns and custom services with generic names like “ATM Service” or “Dispenser Service” can reveal hidden malicious activity.
The FBI has recommended several security enhancements to combat this growing threat. These include upgrading standard ATM locks, implementing tamper sensors, and increasing camera surveillance around cash dispensing machines. Enabling disk encryption and employing hardware device whitelisting can further harden ATM systems against unauthorized software or hardware insertions.
For robust protection, organizations should regularly audit their ATMs against trusted “gold images” and baseline hashes. Activating targeted Windows auditing is also crucial. This allows for the correlation of critical security events such as USB insertions, file writes, process creations, and log clearing (identified by Event IDs 6416, 4663, 4688, and 1102 respectively). By monitoring these events, financial institutions can more effectively identify and respond to jackpotting attempts. Suspicious activity should be promptly reported to the local FBI field office or the Internet Crime Complaint Center (IC3).
The ongoing evolution of ATM malware like Ploutus necessitates continuous vigilance from financial institutions. The FBI alert serves as a critical warning, urging immediate implementation of enhanced security measures. As criminals refine their tactics, the focus will likely remain on both physical security and robust software integrity monitoring to protect against these sophisticated cash-out schemes.