Back to Intelligence

Escalating ATM Jackpotting Attacks: FBI Reports $20M Loss and 1,900 Incidents

SA
Security Arsenal Team
February 27, 2026
5 min read

The Heist That Isn't on the Silver Screen: The Rise of ATM Jackpotting

We often imagine high-stakes bank heists as cinematic events involving intricate tunneling or armed gunmen. However, the modern reality is quieter, faster, and far more digital. The U.S. Federal Bureau of Investigation (FBI) has released alarming statistics showing that "jackpotting"—a cyberattack that forces ATMs to dispense cash on command—is no longer a theoretical threat but a lucrative criminal enterprise.

According to recent reports, there have been 1,900 reported ATM jackpotting incidents since 2020, with 700 occurring in the past year alone. In 2025, these attacks resulted in over $20 million in losses. As financial institutions and retail operators grapple with this surge, understanding the mechanics of the attack and the necessary defensive countermeasures is critical.

The Mechanics of a Jackpotting Attack

Jackpotting is essentially the physical exploitation of an ATM's internal computing infrastructure. Most modern ATMs are essentially specialized PCs running Windows OS, connected to a cash dispenser via the eXtensions for Financial Services (XFS) standard. Attackers target this interface to manipulate the dispenser mechanism directly.

Attack Vectors and TTPs

There are two primary methodologies used by threat actors:

  1. Black Box Attacks: This is the most prevalent method. Criminals gain physical access to the top cabinet of the ATM (the "head") where the PC and dispenser interface are located. They disconnect the standard cash dispenser cable from the ATM PC and connect a rogue physical device (a "black box" or "shimmer" for the dispenser interface). This device emulates the legitimate host machine and sends commands to the dispenser to spit out cash.

  2. Malicious Software Installation: In this scenario, attackers use a USB drive or CD-ROM to install malware directly onto the ATM's operating system. This malware often targets the XFS middleware, intercepting legitimate communication between the bank's application core and the hardware dispenser. Once installed, the malware dispenses cash upon specific input, such as entering a numerical code via the PIN pad or sending a trigger SMS through a connected mobile dongle.

The " technician" Tactic

The initial access vector is almost always physical. Intelligence indicates that criminal crews often pose as authorized maintenance technicians. They dress the part, use high-visibility vests, and may even place an "Out of Service" sign on the machine to work uninterrupted in open areas like lobbies or strip malls.

Detection and Threat Hunting

Defending against jackpotting requires a convergence of physical security controls and digital endpoint monitoring. Since these attacks involve hardware interaction or peripheral introduction, security teams can hunt for specific anomalies on the ATM endpoints.

KQL Queries for Sentinel/Defender

If your organization manages ATMs connected to a centralized SIEM like Microsoft Sentinel, use the following KQL queries to hunt for indicators of physical tampering or USB interaction.

Hunt for USB Storage Device Insertion: Attackers frequently use USB drives to load malicious tools.

Script / Code
DeviceEvents
| where ActionType contains "UsbDriveMounted" or ActionType contains "UsbDriveRemoval"
| project Timestamp, DeviceName, AccountName, ActionType, FolderPath
| order by Timestamp desc


**Identify Suspicious Service Executions (Black Box Indicators):**

Jackpotting malware often attempts to stop legitimate XFS services or start malicious ones.

Script / Code
DeviceProcessEvents
| where FileName in~ ("sc.exe", "net.exe", "cmd.exe", "powershell.exe")
| where ProcessCommandLine has_any ("stop", "query", "delete") and ProcessCommandLine has @"XFS"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine
| order by Timestamp desc

PowerShell Script for Endpoint Auditing

For analysts who need to perform a quick remote triage of an ATM suspected to be compromised, the following PowerShell script checks for active USB storage connections and recent service changes related to XFS.

Script / Code
# Check for connected USB storage devices (Removable disks)
$usbs = Get-CimInstance -ClassName Win32_Volume | Where-Object { $_.DriveType -eq 2 -and $_.DriveLetter }
if ($usbs) {
    Write-Host "[ALERT] USB Storage Detected:" -ForegroundColor Red
    $usbs | Format-Table DriveLetter, Label, FileSystem, @{Name="Size(GB)";Expression={[math]::Round($_.Capacity/1GB, 2)}}
} else {
    Write-Host "No USB storage devices currently mounted." -ForegroundColor Green
}

# Check for recently modified services related to XFS or Diebold/NCR drivers
$timeThreshold = (Get-Date).AddHours(-24)
$suspiciousServices = Get-WmiObject Win32_Service | Where-Object { 
    $_.State -eq "Running" -and 
    $_.PathName -like "*xfs*" -or $_.PathName -like "*nfuse*" -or $_.Name -like "*dmadmin*"
}

if ($suspiciousServices) {
    Write-Host "[INFO] Active XFS-related Services found. Review manually." -ForegroundColor Yellow
    $suspiciousServices | Select-Object Name, DisplayName, State, PathName | Format-List
}

Mitigation Strategies

Preventing ATM jackpotting requires a defense-in-depth approach that bridges the gap between cybersecurity and physical security.

  1. Physical Hardening:

    • Reinforce the top cabinet (head) of the ATM with anti-tamper alarms. If the cabinet is opened, an alert should be triggered immediately to the monitoring center.
    • Ensure ATM locks are high-quality and resistant to picking.

  2. Port Blocking:

    • Physically disable USB ports within the ATM motherboard BIOS and seal them with epoxy or specialized port locks.
    • Disable CD/DVD drives and remove them if not required for operations.

  3. Application Whitelisting:

    • Implement strict application control (e.g., Microsoft AppLocker) on the ATM OS. Only signed, authorized banking executables should be allowed to run. This prevents malicious autorun files from executing if a USB is inserted.

  4. Network Segmentation:

    • Ensure ATMs are on a separate VLAN from the general corporate network. This limits the lateral movement if an attacker gains network access rather than physical access.

The $20 million lost in 2025 proves that ATM jackpotting is a low-risk, high-reward crime for organized criminals. As the attack surface evolves, proactive monitoring and endpoint visibility are essential to stopping the cash flow before it hits the streets.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

socthreat-intelmanaged-socatm-securityjackpottingphysical-securityfinancial-crimethreat-hunting

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action