Executive Summary

In January 2026, U.S. federal authorities announced the sentencing and impending deportation of two Venezuelan nationals, Luz Granados and Johan Gonzalez-Jimenez, for their roles in a multi-state ATM jackpotting scheme that targeted older-model Automated Teller Machines (ATMs) across the southeastern United States. The attackers used laptops to install Ploutus malware variants, bypassing ATM security protocols and forcing the machines to dispense all available cash. The stolen funds, totaling hundreds of thousands of dollars, were taken directly from bank-owned ATMs, not from individual customer accounts. The investigation, led by the U.S. Secret Service and the South Carolina Law Enforcement Division, also contributed to a broader federal case in Nebraska, resulting in indictments against 54 individuals linked to a larger criminal network associated with the Tren de Aragua gang. The incident highlights significant vulnerabilities in legacy ATM infrastructure and underscores the need for enhanced physical and cybersecurity controls within the financial sector. All information in this summary is directly supported by the referenced sources below.

Technical Information

The ATM jackpotting campaign exploited physical and software vulnerabilities in older-model ATMs, primarily those running outdated or unsupported operating systems such as Windows XP. Attackers conducted reconnaissance to identify suitable targets, focusing on ATMs with minimal physical security and legacy software. The attack chain began with the physical opening of the ATM’s outer casing, typically after business hours to avoid detection. Once inside, the perpetrators connected a laptop or external device to the ATM’s internal components.

The primary malware used was a variant of Ploutus, a sophisticated ATM malware family first identified in Latin America and later observed in the United States. Ploutus enables attackers to issue unauthorized commands to the ATM’s cash dispensing module. The malware was delivered through several methods: direct installation via a connected laptop, replacement of the ATM’s hard drive with a pre-infected drive, or infection of the existing hard drive using a USB thumb drive. Once installed, Ploutus bypassed the ATM’s security protocols, allowing the attackers to dispense all available cash on demand. The malware also included features to delete evidence of its presence, complicating forensic investigations.

Technical analysis confirms that the attackers leveraged the following tactics, techniques, and procedures (TTPs):

Attackers gained initial access by physically opening the ATM, often using lock-picking tools or master keys. They then installed the Ploutus malware, which could be activated via an external keyboard, remote code, or SMS, depending on the variant. The malware’s execution allowed for rapid cash-out, with the ATM dispensing its entire cash reserve. To evade detection, Ploutus deleted logs and other indicators of compromise from the ATM’s system.

The campaign targeted financial institutions operating older-model ATMs, particularly those lacking recent security updates or robust physical protections. The attacks were concentrated in South Carolina, Georgia, North Carolina, and Virginia, but related activity was identified in Nebraska and other states. The technical sophistication of the operation, combined with the physical access required, indicates a high level of planning and coordination.

The Tren de Aragua gang, a Venezuelan criminal organization, was identified as the orchestrator of the broader campaign. The group’s involvement was confirmed through DOJ indictments, technical evidence from seized devices, and consistent reporting across multiple primary sources. The campaign resulted in at least 1,529 jackpotting incidents, with individual institutions losing over $100,000 and some incidents resulting in losses exceeding $300,000.

Mapping the attack to the MITRE ATT&CK framework, the following techniques were observed: physical access to the ATM (Initial Access), user execution of malicious files and command input (Execution), boot or logon autostart execution (Persistence), indicator removal on host (Defense Evasion), and automated cash exfiltration (Impact).

The technical evidence supporting these findings is robust, including forensic analysis of compromised ATMs, DOJ indictments, and corroborated reporting from law enforcement and cybersecurity researchers.

Affected Versions & Timeline

The affected systems were primarily older-model ATMs running unsupported or outdated operating systems, such as Windows XP. The attacks exploited both software vulnerabilities and insufficient physical security controls. The campaign targeted ATMs in South Carolina, Georgia, North Carolina, and Virginia, with related activity in Nebraska and other states.

The timeline of the incident is as follows: The confirmed period of ATM jackpotting attacks in the United States spanned from at least February 2024 through December 2025. Sentencing and deportation orders for the two primary defendants were issued in January 2026. The investigation in South Carolina contributed to a broader federal case in Nebraska, resulting in indictments against 54 individuals in late 2025.

No evidence indicates that customer data or individual accounts were compromised; all stolen funds were taken directly from the banks’ ATM reserves.

Threat Activity

The threat actors demonstrated a high degree of organization and technical capability. The operation was led by members of the Tren de Aragua gang, a Venezuelan criminal organization with a history of involvement in cyber-enabled financial crimes. The attackers conducted surveillance to identify vulnerable ATMs, focusing on those with outdated software and minimal physical security.

The attack chain involved physical access to the ATM, installation of Ploutus malware via laptop, USB drive, or hard drive replacement, and execution of unauthorized cash withdrawals. The malware’s ability to delete evidence of its presence hindered detection and response efforts. The stolen funds were rapidly laundered and distributed among the criminal network.

The campaign’s scale was significant, with at least 1,529 jackpotting incidents reported and losses exceeding $40 million across multiple states. The operation’s success was facilitated by the prevalence of legacy ATM systems and insufficient security controls.

Law enforcement response was coordinated across multiple agencies, including the U.S. Secret Service, South Carolina Law Enforcement Division, and the Department of Justice. The investigation led to the identification and prosecution of key members of the criminal network, as well as the exposure of broader vulnerabilities in the financial sector’s ATM infrastructure.

Mitigation & Workarounds

Mitigation efforts should prioritize the following actions, ranked by severity:

Critical: Financial institutions must enhance physical security controls for all ATMs, including the use of tamper-evident seals, alarms, and surveillance systems. Immediate upgrades of all ATMs to supported operating system versions with the latest security patches are essential to prevent exploitation of known vulnerabilities.

High: Implement strict access controls and monitoring for ATM maintenance activities. Deploy endpoint protection and integrity monitoring solutions to detect unauthorized changes to ATM software or hardware.

Medium: Conduct regular employee training and awareness programs focused on ATM security. Establish and routinely test incident response protocols for ATM compromise scenarios.

Low: Engage in information sharing with industry peers and law enforcement agencies to stay informed about emerging threats and best practices.

These recommendations are based on technical analysis of the attack methods and the vulnerabilities exploited during the campaign. Institutions operating legacy ATM systems should prioritize upgrades and enhanced security measures to mitigate the risk of similar attacks.

References

https://www.bleepingcomputer.com/news/security/us-to-deport-venezuelans-who-emptied-bank-atms-using-malware/ (January 23, 2026)

https://abcnews4.com/news/state/venezuelan-nationals-sentenced-in-atm-jackpotting-scheme (January 22, 2026)

About Rescana

Rescana provides a Third-Party Risk Management (TPRM) platform that enables organizations to continuously assess and monitor the security posture of their vendors and critical infrastructure. Our platform supports the identification of vulnerabilities in legacy systems, facilitates compliance with regulatory requirements, and enhances incident response capabilities. For questions or further information, please contact us at ops@rescana.com.