Criminals are increasingly using malware to steal money out of ATMs, with hundreds of incidents taking place in 2025 alone.

In a flash alert on Thursday, the FBI said it has tracked more than 1,900 ATM jackpotting incidents since 2020 and over 700 in 2025 that involved more than $20 million in losses.

FBI officials explained that criminals are now taking advantage of physical and software vulnerabilities that allow them to deploy malware on ATMs and dispense cash without transactions. 

The strains of malware include Ploutus, which has long been used globally by criminals to circumvent a layer of software that tells ATMs what to do called eXtensions for Financial Services (XFS). 

“When a legitimate transaction occurs, the ATM application sends instructions through XFS for bank authorization. If a threat actor can issue their own commands to XFS, they can bypass bank authorization entirely and instruct the ATM to dispense cash on demand,” the FBI explained.

Once Ploutus is installed, criminals can directly control the machine and trigger withdrawals. Attacks involving Ploutus allow criminals to steal money in minutes and are hard to detect until after the money is taken out. 

In most instances, criminals open the face of an ATM with widely available generic keys, according to the FBI. Once inside, they remove the ATM’s hard drive, connect it to their own computer and copy the malware onto it. In other cases they simply replace the ATM’s hard drive or external device that has malware loaded. 

“The malware interacts directly with the ATM hardware, bypassing any communications or security of the original ATM software. The malware does not require connection to an actual bank customer account to dispense cash,” the FBI said.

“The malware can be used across ATMs of different manufacturers with very little adjustment to the code as the Windows operating system is exploited during the compromise.”

The white notice comes two months after the Justice Department indicted dozens people for running an ATM jackpotting ring that involved the Ploutus malware being used against ATMs owned by credit unions. 

Between February 2024 and December 2025, the gang stole at least $5.4 million from at least 63 ATMs, according to the indictment. 

The gang would survey ATMs and test whether they had alarms that would trigger police response. 

The DOJ said at least $5.4 million was stolen by the group and another $1.4 million was at risk of being stolen but the attacks failed. At least one credit union in Kearney, Nebraska suffered a loss of about $300,000 and most lost more than $100,000. 

Experts and government agencies have warned for nearly a decade about variants of the Ploutus malware, which Google researchers previously said “is one of the most advanced ATM malware families” they've seen. 

The Ploutus ATM malware was first detected by Symantec in 2013 and has gone through several updates since then. It was initially deployed against ATMs across Mexico in 2013, allowing criminals to empty machines by either attaching an external keyboard attached to the ATM or by sending an SMS message, a technique that had never been seen before, according to Google. 

Ploutus has been used to target a variety of ATM vendors, including Diebold Nixdorf, Kalignite Platform and others. Diebold Nixdorf issued multiple alerts in 2017 and 2018 about variants of the malware being used to steal money from ATMs across Mexico and the U.S.