Executive Summary

Between February 2024 and December 2025, a coordinated criminal campaign targeted U.S. banks and credit unions using the advanced Ploutus malware to execute ATM jackpotting attacks. The U.S. Department of Justice (DOJ) has indicted 54 individuals, all allegedly linked to the Venezuelan gang Tren de Aragua (TdA), a group designated as a foreign terrorist organization. The attackers gained physical access to ATMs, installed Ploutus via hard drive replacement or removable media, and forced machines to dispense millions of dollars in cash. The DOJ reports at least 1,529 jackpotting incidents and $40.73 million in losses as of August 2025, with individual institutions suffering losses exceeding $100,000 and one Nebraska credit union losing $300,000 in a single event. The proceeds are alleged to have funded broader criminal and terrorist activities. The campaign demonstrates the ongoing risk posed by sophisticated malware, physical security weaknesses, and the intersection of cybercrime with organized crime and terrorism. All information in this summary is directly supported by the cited sources below.

Technical Information

The ATM jackpotting scheme leveraged a combination of physical intrusion and advanced malware deployment to compromise automated teller machines across the United States. The attackers, identified as members and associates of Tren de Aragua, conducted methodical surveillance of targeted ATMs, focusing on both banks and credit unions. Reconnaissance included assessing external security measures and determining the likelihood of triggering alarms or law enforcement responses upon accessing the ATM’s internal components (The Hacker News, 2025-12-20; The Record, 2025-12-19; Security Affairs, 2025-12-20).

Attack Vector and Execution: Attackers gained initial access by physically opening the ATM’s hood or cabinet, typically using a master key or lock-picking tools. After confirming the absence of immediate alarms or law enforcement response, they proceeded to install the Ploutus malware. This was achieved by either replacing the ATM’s hard drive with one preloaded with the malware, removing and infecting the existing hard drive, or connecting a removable device such as a USB thumb drive. Once installed, Ploutus enabled the attackers to issue unauthorized commands to the ATM’s cash dispensing module, causing the machine to release all available cash on demand. The malware could be activated using a physical keyboard or an activation code provided by a remote operator (The Hacker News; The Record; Security Affairs).

Malware Capabilities:Ploutus is recognized as one of the most advanced ATM malware families. First detected in Mexico in 2013, it has evolved through multiple variants to support a range of ATM vendors, including Diebold Nixdorf and the Kalignite Platform, and is compatible with various Windows operating systems. The malware’s features include the ability to delete evidence of its presence, making forensic analysis and detection significantly more difficult. Earlier versions allowed cash-out via external keyboard or SMS, while later variants improved compatibility and evasion techniques (The Record; The Hacker News).

Operational Tactics: The criminal crews operated in coordinated groups, conducting reconnaissance, breaching ATM cabinets, and installing malware. After successful cash-out, the stolen funds were divided among the operational teams and senior gang leadership. The DOJ reports that the proceeds were laundered and, in part, used to fund other criminal and terrorist activities associated with Tren de Aragua (Security Affairs).

MITRE ATT&CK Mapping: - Initial Access: Physical access to ATM (adapted from T1190: Exploit Public-Facing Application) - Execution: User execution of malicious files and command input (T1204.002, T1059) - Persistence: Boot or logon autostart execution (T1547) - Defense Evasion: Indicator removal on host (T1070) - Impact: Data manipulation and destruction, automated cash exfiltration (T1565, T1485, T1020 adapted)

Attribution and Evidence Quality: Attribution to Tren de Aragua is supported by DOJ indictments, technical evidence from seized devices, and consistent reporting across all cited sources. The technical details of the attack, including the use of Ploutus, physical access methods, and cash-out techniques, are corroborated by primary source reporting and official statements. The evidence quality for these claims is high, with direct references to law enforcement actions and technical analysis.

Sector-Specific Implications: The financial sector, particularly banks and credit unions, remains at high risk from both physical and cyber-enabled ATM attacks. The campaign exploited outdated ATM operating systems and insufficient physical security controls. The use of advanced malware capable of deleting its own traces highlights the need for improved ATM security, regular software updates, and enhanced physical security measures. The incident also demonstrates the intersection of cybercrime, organized crime, and terrorism, emphasizing the need for coordinated defense strategies.

Affected Versions & Timeline

The attacks primarily targeted ATMs running vulnerable or outdated operating systems, including various versions of Windows (notably Windows XP and later), and machines from vendors such as Diebold Nixdorf and those using the Kalignite Platform (The Record). The Ploutus malware is compatible with multiple ATM platforms and has been updated over time to bypass new security measures.

The timeline of verified events is as follows: - 2013:Ploutus malware first detected in Mexico (The Hacker News). - February 2024 – December 2025: Confirmed period of ATM jackpotting attacks in the U.S., with at least 63 incidents attributed to the indicted group of 22 individuals, including 54 attacks on credit unions (The Record). - August 2025: $40.73 million in losses from 1,529 jackpotting incidents reported in the U.S. (The Hacker News). - October 21, 2025: Indictment of 32 individuals returned (The Hacker News). - December 9, 2025: Indictment of 22 individuals returned (The Hacker News). - December 19-20, 2025: DOJ public announcement of indictments (The Record; Security Affairs).

Threat Activity

The threat activity was characterized by a high degree of organization and technical sophistication. The indicted individuals, acting as part of Tren de Aragua, conducted coordinated attacks across the U.S., focusing on both urban and rural financial institutions. The attackers performed detailed reconnaissance to identify vulnerable ATMs, often targeting those with outdated operating systems or insufficient physical security.

The attack chain involved physical breach of the ATM, installation of Ploutus malware via hard drive replacement or removable media, and execution of unauthorized cash dispensing commands. The malware’s ability to delete its own traces significantly hindered detection and response efforts. The stolen funds were rapidly laundered and distributed among the criminal network, with a portion allegedly used to support broader criminal and terrorist operations.

The DOJ’s investigation revealed that the group attempted or succeeded in at least 63 jackpotting incidents, with confirmed losses of $5.4 million by one group of 22 defendants and an additional $1.4 million in failed attempts. Individual financial institutions suffered significant losses, with several losing over $100,000 and one Nebraska credit union losing $300,000 in a single attack (The Record).

The campaign’s scale and impact underscore the persistent threat posed by organized criminal groups leveraging advanced malware and physical attack techniques against critical financial infrastructure.

Mitigation & Workarounds

Mitigation of ATM jackpotting attacks using Ploutus malware requires a multi-layered approach, addressing both technical and physical security controls. The following recommendations are prioritized by severity:

Critical: Financial institutions must immediately review and enhance physical security controls for all ATMs, including the use of tamper-evident seals, alarm systems, and surveillance cameras. All ATMs should be regularly inspected for signs of unauthorized access or tampering.

Critical: All ATMs running outdated or unsupported operating systems, such as Windows XP, must be upgraded to supported versions with the latest security patches. Institutions should work with ATM vendors, including Diebold Nixdorf and those using the Kalignite Platform, to ensure all software and firmware are up to date.

High: Implement strict access controls and monitoring for ATM maintenance activities. Only authorized personnel should have access to ATM internals, and all maintenance actions should be logged and reviewed.

High: Deploy endpoint protection and integrity monitoring solutions capable of detecting unauthorized changes to ATM software or hardware configurations. Regularly audit ATM logs for signs of suspicious activity, such as unexpected reboots or software installations.

Medium: Conduct regular employee training and awareness programs focused on ATM security, including recognition of physical tampering and social engineering tactics.

Medium: Establish incident response protocols for suspected ATM compromise, including immediate isolation of affected machines, forensic analysis, and notification of law enforcement.

Low: Engage in information sharing with industry peers and law enforcement agencies to stay informed about emerging threats and attack techniques targeting ATM infrastructure.

These recommendations are based on the confirmed attack methods and vulnerabilities exploited in the documented campaign. Institutions should prioritize actions according to their risk exposure and operational context.

References

https://thehackernews.com/2025/12/us-doj-charges-54-in-atm-jackpotting.html https://therecord.media/doj-charges-gang-malware-ploutus https://securityaffairs.com/185908/cyber-crime/atm-jackpotting-ring-busted-54-indicted-by-doj.html

All claims and technical details in this report are directly supported by the above sources.

About Rescana

Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor cyber and physical risks across their extended supply chain. Our platform enables continuous monitoring of vendor security posture, supports incident response coordination, and offers actionable insights for improving resilience against complex threats such as those targeting ATM infrastructure. For questions or further information, please contact us at ops@rescana.com.