The Federal Bureau of Investigation (FBI) recently released important markers through “FLASH” report to indicate that ATM is tampered with amid rising incidents of ATM jackpotting. ATM jackpotting threats are typically associated with locally introduced files that bypass traditional network-based detection, the FBI said.
Data from the previous year — 2025 — reported a total of 700 ATM jackpotting incidents across the United States with over $20 million in losses. In the last six years, as many as 1,900 jackpotting incidents were reported. The FBI in its report dated 19 February said, “Threat actors are deploying ATM jackpotting malware, including the Ploutus family malware, to infect ATMs and force them to dispense cash…. Ploutus allows threat actors to force an ATM to dispense cash without using a bank card, customer account, or bank authorization.”
In addition to several digital indicators, the FBI listed some physical Indicators of compromise (IOCs) and associated with malware enabled ATM jackpotting which are given below:
- One should alert the authorities if ATM door open is signaled outside of planned maintenance schedule
- In case ATM displays low or no cash outside of expected use schedule, it could indicate trouble.
- If a person finds any unauthorized device plugged into the ATM, then authorities must be alerted promptly.
- If a person suspects removal of hard drives from ATM, then it is a situation of concern.
- Another most common indicator of foul play is that of the ATM unexpectedly going out of service.
According to FBI, regular maintenance and validation of system integrity against a gold image is one of the most effective defenses against ATM-targeted malware.
The FBI encourages recipients of this document to report information concerning
If any suspicious or criminal activity is detected, then on must contact FBI field office at www.fbi.gov/contact-us/field-offices or the FBI Internet Crime Complaint Center at www.ic3.gov. One can also alert authorities through FLASH number 20260219-001. Key details that should be mentioned in the complaint include Bank name, branch, location, and contact information. In addition to bank details, following ATM information should also be provided.
- Manufacturer make and model
- Vendor name and contact information
- Available logging
How do ATMs malfunction?
When ATM’s hard drive is tampered with or replaced with a foreign hard drive, the malware induced in the system bypasses all communications or security of the original ATM software. “The malware does not require connection to an actual bank customer account to dispense cash. The malware can be used across ATMs of different manufacturers with very little adjustment to the code as the Windows operating system is exploited during the compromise,” FBI said.
