19.12.2025
2 min
440
The U.S. Department of Justice has announced charges against 54 individuals involved in a multi-million-dollar ATM jackpotting operation that leveraged Ploutus malware to force cash withdrawals from automated teller machines across the United States. Authorities say part of the stolen funds may have been used to support international criminal activities.
According to the Justice Department, the suspects were part of an organized criminal network linked to Tren de Aragua, a group officially designated by the U.S. as a foreign terrorist organization. Investigators revealed that participants conducted systematic reconnaissance of ATM locations, assessing physical security measures, alarm systems, and law enforcement response times.
Once access was secured, the attackers installed Ploutus malware by replacing the ATM hard driveor connecting removable media. The malware issued unauthorized commands to the cash dispensing module, enabling large cash withdrawals within minutes. Certain Ploutus variants were also designed to erase forensic traces, making detection more difficult for banks and service providers.
Ploutus was first identified in Mexico in 2013. Subsequent research showed that it could operate on ATMs running Windows XP and later versions, with remote activation capabilities using special access codes. U.S. authorities report that more than 1,500 jackpotting incidents have occurred since 2021, resulting in losses exceeding $40 million.
The case underscores how attacks against physical financial infrastructure remain a critical threat in 2025. The combination of physical access, legacy operating systems, and organized criminal networks continues to make ATM jackpotting a highly effective form of financial cybercrime that demands stronger oversight from banks and regulators.
