February 20, 2026 ATM jackpotting attacks are accelerating from rare security demonstrations into a growing criminal enterprise, according to a new FBI warning. The agency says more than 700 ATM attacks were recorded in 2025 alone, resulting in at least $20 million in stolen cash.
The tactic, once popularized in controlled research environments, is now being actively deployed by organized cybercrime groups. In a recent security bulletin, the FBI said attackers are combining physical tampering with malware to force machines to dispense cash without accessing customer accounts.
Many attacks involve gaining direct access to ATM hardware using widely available master keys or by breaching front panels to reach internal components. Once inside, criminals install malware designed to manipulate the machine’s operating system and override safeguards.
One strain highlighted by investigators is Ploutus, a long-tracked malware family that targets ATMs running Windows-based software. The FBI says the malware gives attackers near-total control of a compromised terminal, allowing them to trigger rapid cash payouts on demand.
The underlying vulnerability lies in how many ATMs rely on XFS (Extensions for Financial Services) software to coordinate components such as card readers, PIN pads and cash dispensers. By exploiting this interface layer, attackers can send commands directly to the dispensing mechanism, effectively bypassing banking controls.
Unlike traditional fraud schemes, jackpotting focuses on the machine itself rather than individual bank accounts. That makes detection more difficult, as financial institutions may not identify losses until after the physical cash has already been removed. Some attacks can be executed in minutes, according to the bulletin.
Security experts say the rise of ATM jackpotting reflects a broader shift toward hybrid cyber-physical attacks. As legacy infrastructure continues to rely on outdated operating systems and exposed service interfaces, criminals are increasingly blending malware with on-site intrusion tactics.
The FBI is urging financial institutions and ATM operators to tighten physical security, monitor for unusual software activity and audit systems running older platforms. With attacks escalating in frequency and sophistication, authorities warn the technique is likely to remain a persistent threat for banks and operators worldwide.
