Key Takeaways
1. Significant Increase in Jackpotting Cases: Since 2020, there have been 1,900 jackpotting incidents in the U.S., with over 700 reported in 2025, resulting in losses exceeding $20 million.
2. Malware Exploitation: Jackpotting malware, particularly from the Ploutus family, targets the ATM’s software layer (XFS) to dispense cash without bank authorization.
3. Indicators of Infection: The advisory lists suspicious executables and digital artifacts linked to jackpotting malware, along with signs of remote access tool misuse and unusual persistence in Windows systems.
4. Physical Tampering Indicators: Warning signs include unauthorized devices connected to ATMs, ATM door-open alerts during non-maintenance times, and unexpected cash levels, indicating potential tampering.
5. Prevention Recommendations: The FBI advises enhancing physical security measures, implementing device whitelisting, performing firmware integrity checks, and encouraging reporting of incidents to local FBI offices.
The FBI shared an IC3 FLASH advisory on February 19, 2026, alerting about a rise in malware-driven ATM “jackpotting” cases across the United States. This warning aims to provide technical specifics and indicators of compromise (IOCs) to assist banks, ATM operators, and service providers in securing their machines and identifying breaches sooner.
Serious Scale of Attacks
The situation is significant. The FBI has reported that since 2020, there have been 1,900 jackpotting cases, with more than 700 occurring in 2025 alone, resulting in losses exceeding $20 million.
In these jackpotting scenarios, thieves do not need to steal card information or empty customer accounts. Their target is the ATM itself, using malware to make the machine dispense cash without a valid transaction. The FBI describes these occurrences as quick “cash-out” operations that may only be detected after the funds have vanished.
Malware and Its Targets
The advisory highlights jackpotting malware, particularly from the Ploutus family. According to the FBI, Ploutus focuses on eXtensions for Financial Services (XFS), which is the software layer directing ATM hardware actions. Normally, the ATM application sends commands through XFS as part of a transaction requiring bank authorization. If an attacker can send their own commands to XFS, they can completely avoid authorization and command the ATM to dispense cash on demand.
The FBI’s report stresses that many of these attacks begin with physical access, often by using commonly available generic keys to open the ATM face. From that point, the FBI outlines common methods of deployment, like removing the hard drive, copying malware onto it from another computer, reinstalling, and rebooting the ATM, or even replacing the drive with a “foreign” drive or external device that already has malware installed before rebooting.
Compatibility and Signs of Infection
The FBI states that the malware can work across various ATM brands with minimal adjustments due to its exploitation of the Windows operating system found on affected ATMs. This malware interacts directly with the ATM hardware, allowing it to dispense cash without needing access to a bank customer account.
The advisory details numerous digital indicators that have been seen on affected ATMs running Windows, including suspicious executables like Newage.exe, Color.exe, Levantaito.exe, NCRApp.exe, sdelete.exe, Promo.exe, WinMonitor.exe, WinMonitorCheck.exe, Anydesk1.exe, along with related files/scripts such as C.dat and Restaurar.bat, and newly created folders. It also mentions multiple MD5 hashes associated with the observed artifacts.
In addition to file artifacts, the FBI highlights potential misuse of remote access tools, such as unauthorized TeamViewer/AnyDesk, and looks for unusual persistence through abnormal autoruns and custom services in Windows registry/service locations.
Indicators of Tampering
Since jackpotting often involves physical tampering, the FBI identifies “physical interaction indicators,” including USB insertion events and detection of connected devices like USB keyboards, USB hubs, and flash drives. Warning signs include ATM door-open alerts during non-maintenance times, unexpected low or empty cash states, unauthorized devices attached, and hard drive removal.
A particularly actionable part of the advisory stresses the importance of baselining and integrity: the FBI recommends validating ATM files/hashes against a controlled “gold image” and treating any deviations, especially unsigned or newly introduced binaries, as potential compromises.
The FBI also suggests implementing a focused audit policy concerning removable storage use, controlled file access, and process creation to identify staging activities that could avoid network monitoring.
Recommendations for Prevention
On the physical side, the FBI’s guidance is clear: it should be made more difficult to access the machines and easier to detect tampering. This includes enhancing locks so generic keys cannot be used, adding alarms for service panels, employing sensors to identify unusual movement or heat, restricting access to the cashbox, and ensuring cameras adequately cover the ATM, with footage kept long enough for utility.
Additionally, it advises hardening steps like device whitelisting to prevent unauthorized hardware connections, performing firmware integrity checks (including TPM-based integrity checks at boot), and disk encryption to decrease the likelihood that malware can be introduced by removing and modifying a drive outside the ATM.
For reporting incidents, the FBI encourages organizations to reach out to their local FBI field office or submit through IC3, requesting relevant details such as bank/branch identifiers, ATM make/model, vendor information, and available logging.
Source:
Link