The FBI is sounding the alarm about a surge in malware-enabled ATM “jackpotting” attacks across the United States, warning banks, ATM operators, and service providers to strengthen defenses now. In a February 19, 2026 IC3 FLASH advisory, the bureau shared technical details and indicators of compromise designed to help organizations detect tampering sooner and reduce the risk of rapid cash losses.
The numbers underline why the warning matters. Since 2020, roughly 1,900 jackpotting incidents have been reported, and more than 700 of those happened in 2025 alone. Losses in 2025 exceeded $20 million, making this more than an occasional wave of opportunistic crime.
How ATM jackpotting works, and why it’s so damaging
Unlike classic ATM fraud, jackpotting doesn’t rely on skimming cards, stealing PINs, or draining customer accounts. The target is the ATM itself. Attackers deploy malware that forces the machine to dispense cash without a legitimate transaction or bank authorization. Because it’s often a fast “cash-out” operation, businesses may not realize anything happened until the ATM is already empty and the perpetrators are long gone.
Ploutus malware and the XFS layer: the key technical detail
The advisory highlights jackpotting malware families such as Ploutus. A major reason these attacks work is their focus on eXtensions for Financial Services (XFS), a middleware/software layer used by many ATMs to communicate with physical components like the cash dispenser. Under normal conditions, the ATM application uses XFS commands during a legitimate transaction flow that requires bank approval. If criminals manage to run their own commands through XFS, they can bypass that authorization step and instruct the ATM to dispense cash on demand.
Why physical access is often step one
A consistent theme in the FBI’s guidance is that many infections begin with physical access to the ATM. In some cases, criminals reportedly open the ATM face using widely available generic keys. Once inside, the bureau describes several common ways malware gets deployed, including:
1) Removing the hard drive, connecting it to another computer to copy malware onto it, reinstalling the drive, and rebooting the ATM
2) Swapping the drive entirely with a “foreign” drive or connecting an external device preloaded with malware prior to reboot
This makes jackpotting a hybrid threat: it combines real-world tampering with targeted Windows malware.
Why Windows-based ATMs are frequently in scope
The FBI notes these attacks can be adapted across multiple ATM manufacturers with relatively little customization because they exploit the underlying Windows operating system on affected machines. In practice, that means attackers don’t need customer account access to steal money. The malware can interact directly with the ATM hardware and trigger cash dispensing.
Indicators of compromise (IOCs) the FBI says to watch for
The advisory lists multiple digital artifacts that defenders can use to spot a potentially compromised Windows-based ATM. Among the suspicious executables observed in incidents are:
Newage.exe, Color.exe, Levantaito.exe, NCRApp.exe, sdelete.exe, Promo.exe, WinMonitor.exe, WinMonitorCheck.exe, and Anydesk1.exe
It also calls out related files and scripts such as C.dat and Restaurar.bat, along with newly created directories that may not match a known-good baseline. The FBI additionally includes MD5 hashes tied to observed artifacts, which can help security teams match known malicious samples during forensic review.
Beyond files on disk, the bureau warns to be alert for the misuse of remote access tools, including unauthorized instances or suspicious usage of products like TeamViewer or AnyDesk. It also flags unusual persistence mechanisms such as abnormal autoruns and unexpected custom services added in common Windows registry and service locations.
Physical and operational warning signs that can reveal staging
Because many jackpotting campaigns involve onsite manipulation, the FBI emphasizes the importance of monitoring physical signals and operational anomalies. Key indicators can include:
USB insertion events and detection of connected devices like USB keyboards, USB hubs, and flash drives
ATM door-open alerts outside approved maintenance windows
Unexpected “low cash” or “no cash” states that don’t align with normal usage patterns
Unauthorized devices connected inside the machine
Evidence of hard drive removal or swapping
In other words, jackpotting doesn’t always look like a network intrusion at first. It can look like a “routine” service event until you correlate logs, sensors, and camera footage.
Mitigation steps: integrity baselines, removable media controls, and stronger physical security
A major takeaway from the advisory is that layered defense matters. One of the most actionable recommendations is to validate ATM files and hashes against a controlled “gold image.” Any deviation—especially newly introduced or unsigned binaries—should be treated as a potential compromise that warrants immediate investigation.
The FBI also urges organizations to tighten monitoring and auditing around removable storage, file access, and process creation, since staging activity may not be obvious through traditional network-only monitoring.
On the physical hardening side, the bureau’s guidance focuses on making unauthorized access harder and tampering easier to detect, including:
Upgrading locks so generic keys can’t open service panels
Adding alarms to service panels and improving tamper detection
Using sensors that detect unusual movement or heat
Limiting access to the cashbox and tightening maintenance procedures
Ensuring cameras properly cover the ATM area and retaining footage long enough to support investigations
Additional hardening recommendations include device whitelisting to block unauthorized hardware connections, firmware integrity checks (including TPM-based integrity checks during boot), and disk encryption to reduce the risk of malware being introduced by removing and modifying a drive outside the ATM.
What to report if your organization is hit
For incident response and investigation support, the FBI encourages organizations to report jackpotting events to their local FBI field office or through IC3. The bureau also asks for practical details that can speed analysis, such as bank or branch identifiers, the ATM’s make and model, vendor information, and any available logs.
As jackpotting incidents rise, the advisory makes one point clear: the most effective defense blends cybersecurity controls with real-world physical security. Organizations that baseline their systems, monitor for both digital and physical anomalies, and lock down service access are better positioned to catch these attacks before cash starts dispensing.
