Hackers Stole $20M From 700 ATMs in One Year

From Conference Demo to Criminal Enterprise

In 2010, security researcher Barnaby Jack made headlines by hacking an ATM on stage at Black Hat, forcing it to spew cash like a slot machine jackpot. Back then, it was a proof-of-concept demonstration. Today, it's a $20 million criminal industry.

The FBI's latest security bulletin reveals a stark reality: ATM jackpotting has evolved from theoretical research into organized crime. In 2025 alone, hackers launched more than 700 attacks on cash dispensers across the United States, netting at least $20 million in stolen cash.

What changed? The barrier to entry collapsed. What once required deep technical expertise now operates like a franchise business, complete with how-to guides and ready-made tools.

Two Paths to Easy Money

Today's ATM hackers use a two-pronged approach that would make Jack proud—and banks nervous.

Physical access remains surprisingly simple. Criminals use generic keys to unlock ATM front panels and access hard drives directly. The dirty secret? Many ATM manufacturers use similar lock mechanisms, making universal keys disturbingly effective.

Digital infiltration represents the evolution. Hackers deploy malware called Ploutus that targets the Windows operating systems powering most ATMs. This isn't some sophisticated nation-state tool—it's readily available on dark web forums.

The Perfect Crime: No Victim Accounts Touched

Here's what makes Ploutus particularly insidious: it doesn't touch customer accounts. Instead, it manipulates the ATM itself, tricking the machine into dispensing cash without debiting any bank account. From the bank's perspective, money simply vanishes.

The malware exploits XFS software—extensions for financial services that allow ATMs to communicate with their hardware components like PIN pads, card readers, and cash dispensers. By hijacking these communications, hackers essentially remote-control the machine.

"Ploutus attacks the ATM itself rather than customer accounts, enabling fast cash-out operations that can occur in minutes and are often difficult to detect until after the money is withdrawn," the FBI warns.

Banks' Billion-Dollar Blind Spot

The banking industry spent billions securing online transactions and card fraud prevention. But they overlooked something fundamental: ATMs are computers, and computers can be hacked.

Most financial institutions focus on protecting the network perimeter—firewalls, encryption, multi-factor authentication. But ATMs often sit outside this protective bubble, connected to internal networks while remaining physically accessible to anyone with the right tools.

The irony? Banks made ATMs more vulnerable by making them smarter. Modern ATMs run full operating systems, connect to the internet, and use standardized software. Each "upgrade" created new attack vectors.

The Global Implications

This isn't just an American problem. ATM jackpotting has been reported across Europe, Asia, and Latin America. The techniques are portable, and the underlying technology—Windows-based ATMs using XFS standards—is globally ubiquitous.

For financial institutions, this represents a fundamental security rethink. Traditional cybersecurity focused on protecting data. ATM jackpotting steals physical assets while leaving digital trails minimal. It's cybercrime with analog consequences.