Federal prosecutors unsealed criminal complaints today against David Jose Gomez Cegarra, 24, and Jesus Segundo Hernandez-Gil, 19, members of the Tren de Aragua Gang, for allegedly orchestrating a coordinated ATM “jackpotting” campaign across four U.S. states.
The defendants face charges of bank theft and conspiracy to commit bank theft, carrying maximum penalties of 10 years imprisonment.
The arrests follow a joint investigation by the FBI Cyber Division and local law enforcement agencies into a sophisticated malware-driven financial fraud operation targeting credit unions and bank ATMs.
The criminal complaint outlines a methodical attack sequence beginning with a physical ATM compromise. Per surveillance footage from the October 5, 2024, Radius Federal Credit Union incident in Kenmore, New York, conspirators accessed the ATM’s internal housing using a stolen or replicated maintenance key.
Forensic analysts identified the installation of a modified hard drive preloaded with memory-scraping malware designed to intercept Transaction Delivery Protocol (TDP) signals between the ATM’s electronic control unit (ECU) and cash dispenser.
ATM Hack: Cash Theft
This malware variant, believed to be a derivative of the Ploutus.D family, enabled remote command execution via SMS or Bluetooth triggers, bypassing standard Hypervisor-level security protocols.
Once deployed, attackers sent predefined command codes to override daily withdrawal limits and force “cash-out” modes, draining cassette reserves within minutes.
The October 5 attack alone extracted $110,440 across multiple withdrawal cycles before fraud detection systems flagged anomalous transaction patterns.
Investigators correlated the malware’s SHA-256 hash (9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08) with three subsequent incidents:
- October 6, 2024: $63,200 stolen from St. Maly’s FCU (Framingham, MA) via ATM ECU firmware downgrade to vulnerable v2.1.7
- October 17, 2024: $43,910 extracted from First National Bank of Dryden (NY) using cloned EMV chip bypass modules
- November 11, 2024: $80,250 taken from two Community First Bank ATMs (Mount Vernon, IL) through PIN pad skimmer auxiliary installations
The breakthrough came during the Illinois incidents, where Mahomet PD officers identified Gomez-Cegarra and Hernandez-Gil conducting reconnaissance on a Diebold Opteva 520 ATM. Search warrants for their rental vehicle uncovered:
- A Kali Linux-loaded Raspberry Pi 5 with custom ATM intrusion scripts
- 32GB SanDisk Cruzer containing ATM XFS middleware exploit code
- Hard drive duplicator with cloned copies labeled “ATM_ECU_Backdoor_v3.2”
Network logs from victim ATMs revealed attacker IPs routing through Tor exit nodes (82.221.128.191, 81.6.43.184) before establishing persistent SSH tunnels to command-and-control servers hosted in Panama.
The DOJ plans to introduce decrypted Telegram communications containing ECU manipulation tutorials and cash-out schedules.
With both defendants currently held at MCC Chicago, preliminary hearings are scheduled for March 25, 2025.
Cybersecurity experts warn that this case highlights critical vulnerabilities in legacy ATM architectures still using Windows XP Embedded systems without Secure Boot enforcement.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free