ATM Jackpotting

The FDIC OIG is alerting banks about an increase in a type of fraud known as “ATM Jackpotting.” ATM Jackpotting involves criminal actors accessing ATMs and placing malware software on the system, enabling them to illegally dispense cash from the bank’s cash supply.  The process is often run by sophisticated and organized crime rings at both the physical location (accessing machine and hard drive) and operating in foreign jurisdictions (transmitting malware codes). 

The FBI estimates 700 instances of ATM Jackpotting and losses totaling more than $20 million in 2025. 

Additional Resources:

• FBI Flash: Increase in Malware Enabled ATM Jackpotting Incidents Across the United States
• United States Secret Service Cybercrime Investigations Alert: Uptick in ATM Jackpotting Attacks

Case Examples:

• Investigation into International “ATM Jackpotting” Scheme and Tren de Aragua results in Additional Indictment and 87 Total Charged Defendants
• Two Venezuelan Nationals Indicted for Conspiracy to Steal Cash in ATM “Jackpotting” Scheme in Merced and Tulare Counties and Elsewhere
• Six Men Indicted in Connection with “ATM Jackpotting” Conspiracy

How this Fraud Targets ATMs

A criminal actor will access the ATM, most often by opening an ATM face, and remove the hard drive to place malware onto the device before returning the hard drive to the ATM. Once the malware is installed, the perpetrator will dispense the cash from the ATM. The malware interacts directly with the ATM hardware, bypassing any communications or security of the original ATM software. 

Other methodologies utilize devices to connect directly with the ATM hard drive. 

ATM Jackpotting Warning Signs:

Prior to committing fraud, perpetrators might do the following:

• Initiate surveillance of an ATM location to look for re-stocking and personnel routines, or CCTV placement.
• Take photographs of the ATM to determine the necessary key to access the system.
• Try to access an ATM and quickly leave to observe law enforcement response time and determine if there are any alarms on the machine. 

These criminals will then access the machine, download the malware, and receive instructions from the foreign actors to go through the process of dispensing the cash. 

Typically, these criminals will access multiple ATMs from one financial institution on the same day, or consecutive days, if they can confirm their ability to access the machines. 

The most common target locations are standalone ATMs in more rural locations.

Other warning signs include:

• ATM door open outside of planned maintenance schedule.
• New executable files that are not expected, appearing on the ATM hard drive.
• Detection of unauthorized devices such as USB keyboards, USB hubs, or flash drives.
• Removal of an ATM hard drive.
• Low or no cash indicators outside of expected use schedule.

Mitigation and Prevention

To mitigate or prevent the occurrence of this type of fraud, the following tactics should be considered:

• Re-key all ATMs with unique access keys.
• Add an ATM security gate to the front of the machine.
• Encrypt ATM software.
• Install ATM Hood alarms that must be disengaged with a code.
• Utilize CCTV cameras and license readers.
• Change standard locks on ATM devices to prevent the use of keys available for purchase online.
• Add Tamper-Resistant Screws to hold the ATM hard drive in place.
• Train employees on surveillance awareness:
  • Unusual vehicle activity in or around the branch location.
  • Individuals photographing the facility.
  • Unexpected alarms on ATMs late at night.  

Responding to Potential Fraud

If you believe that an ATM has been targeted by this type of fraud, you should:

• Immediately contact local law enforcement, the FBI (www.fbi.gov/contact-us/field-offices or the FBI Internet Crime Complaint Center at www.ic3.gov), and the FDIC OIG hotline.
• Preserve all applicable surveillance footage.
• Close the ATM lane and treat the area as a crime scene.