Ploutus malware is powering a new wave of “jackpotting” attacks that drain U.S. ATMs without needing a bank card, customer account, or bank authorization, prompting the FBI to issue an emergency FLASH alert to financial institutions nationwide.
According to the FBI alert, threat actors are using Ploutus and related ATM jackpotting malware to control cash machines across the United States directly, bypassing normal banking transactions entirely.
Ploutus abuses the eXtensions for Financial Services (XFS) software layer, which controls when the ATM hardware moves cash, accepts cards, or prints receipts.
Instead of sending instructions from a legitimate banking application through XFS, the malware issues its own commands, forcing the dispenser to release cash on demand without contacting the bank’s authorization systems.
Once installed, Ploutus effectively turns the ATM into a standalone cash machine under criminal control.
The malware attacks the ATM itself rather than customer accounts, enabling rapid cash-out operations that can be completed in minutes and often detected only after large sums have already been stolen.
The FBI notes that Ploutus-based tools can be adapted to work across different ATM manufacturers with minimal code changes because they target underlying Windows systems used by many machines.
Ploutus Malware
To deploy Ploutus, attackers first obtain physical access to the ATM, often by opening the front of the machine with widely available generic keys that match standard manufacturer locks.
The FBI FLASH also highlights the use of unauthorized remote-access tools such as AnyDesk or TeamViewer, as well as USB keyboards, hubs, and flash drives connected directly to the ATM to help interact with or stage the malware.
In many cases, criminals remove the ATM’s hard drive, connect it to a separate computer, copy the malware onto it, then reinstall the drive and reboot the ATM so it starts running the malicious code.
In other scenarios, they replace the original hard drive entirely with a foreign drive or external device preloaded with Ploutus and supporting tools.
Once operational, Ploutus communicates directly with the dispenser hardware, bypassing the ATM’s original software security controls and allowing criminals to script or manually trigger multiple illicit withdrawals.
Digital indicators observed on compromised ATMs include unexpected executables such as Newage.exe, Color.exe, Levantaito.exe, NCRApp.exe, Promo.exe, WinMonitor.exe, WinMonitorCheck.exe, and Anydesk1.exe, along with several associated batch files and logs like C.dat and Restaurar.bat.
The FBI also lists multiple MD5 hashes tied to known Ploutus samples and warns banks to compare installed files against a cryptographically verified “gold image” baseline of approved software and configurations.
FBI Impact Numbers and Emergency Guidance
Since 2020, the FBI has tracked approximately 1,900 ATM jackpotting incidents in the U.S., with more than 700 attacks and over 20 million USD in losses occurring in 2025 alone.
The sharp increase in cases and the ability of Ploutus to drain ATMs without any customer interaction led the Bureau to circulate the FLASH advisory to financial institutions, ATM vendors, and security teams.
The alert urges organizations to harden both physical and logical defenses around ATMs, including replacing default locks, adding additional keyed barriers, deploying vibration and temperature sensors, and ensuring camera coverage of machines and vestibules.
On the software side, the FBI recommends strong logging and audit policies for removable media, process creation, and system integrity events, as well as device and software whitelisting to block unauthorized USB devices and executables.
Banks are encouraged to enable hard drive encryption, verify firmware with digital signatures, and configure automatic shutdown or “out of service” states when a combination of jackpotting indicators is detected.
The FBI is asking victims and operators to promptly report suspicious activity, including ATM models, logs, observed files, and network details, to local FBI field offices or the Internet Crime Complaint Center (IC3) to help track and disrupt Ploutus-driven attacks.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
