Crims hit a $20M jackpot via malware-stuffed ATMs
The Register
February 19, 2026
AI-Generated Deep Dive Summary
Cybercriminals have targeted ATMs across the United States using a technique known as "ATM jackpotting," which involves exploiting both physical and software vulnerabilities to steal cash without bank authorization. According to an FBI security alert, over $20 million was stolen from compromised ATMs last year alone, with more than 700 incidents reported in 2025. This growing trend highlights the sophistication of cyber-physical attacks that bypass traditional cybersecurity measures.
The process typically begins when criminals gain access to ATMs using generic keys, allowing them to physically open the machines and insert malware-laced hard drives or USB devices. Once inside, malicious software like Ploutus exploits the eXtensions for Financial Services (XFS) API—an open-standard protocol used by ATMs to communicate with banking systems. By hijacking this API, attackers can issue commands directly to the ATM, instructing it to dispense cash without requiring bank authorization. This method is particularly effective because it does not harm individual customers but instead targets financial institutions, leaving them to foot the bill.
The FBI has identified several digital and physical indicators of compromise for ATMs running Windows OS, including suspicious USB activity, altered event logs, or unauthorized devices connected to the machines. Despite these clues, detecting such attacks can be challenging, as they often go unnoticed until cash is already withdrawn. The rise in ATM jackpotting underscores the vulnerabilities inherent in older ATM systems and the need for enhanced security measures.
For tech enthusiasts and cybersecurity professionals, this issue highlights the intersection of physical hardware and software vulnerabilities. As cybercriminals increasingly target financial infrastructure, understanding these attacks becomes crucial for safeguarding digital assets. The use of open-source APIs like XFS demonstrates how even well-established technologies can be exploited with minimal physical access. This case also emphasizes the importance of proactive security measures, such as regular ATM firmware updates and monitoring for unusual activity.
In an era where cyber-physical systems are becoming more
Verticals
tech
Originally published on The Register on 2/19/2026