FBI Flash Alert: ATM Jackpotting Attacks Surge, Draining $20M From Banks

The scenario sounds like a Hollywood heist: attackers walk up to an ATM, plug in a device, and the machine obediently spits out cash like a slot machine hitting a jackpot. Unfortunately, for financial institutions, this is not fiction. According to a recent FBI Flash alert, "jackpotting" attacks have surged in 2025, resulting in over $20 million in losses for U.S. banks in a single year.

The Jackpotting Threat Landscape

Jackpotting is a form of logical attack that targets Automated Teller Machines (ATMs), forcing them to dispense currency on command. Unlike skimming, which aims to steal card data for later fraud, jackpotting provides immediate cash liquidity for cybercriminals.

The FBI’s warning highlights a disturbing trend: the attack vector is maturing. What was once the realm of highly sophisticated, state-sponsored actors has trickled down to organized crime rings leveraging off-the-shelf tools and known vulnerabilities.

Analysis: How Attackers Defeat the ATM

To protect your assets, you must understand the mechanics of the breach. Modern jackpotting generally follows two primary paths:

1. The "Black Box" Attack (Hardware Man-in-the-Middle)

This is the most prevalent method cited in recent alerts. Criminals gain physical access to the top hatch of the ATM (the "head" where the PC core resides). Once inside, they locate the cable connecting the PC to the dispenser mechanism.

• The Tactic: They disconnect this cable and insert a rogue device (the "black box") or a laptop acting as a malicious peripheral.
• The Result: This device sends unauthorized "dispense" commands directly to the dispenser, bypassing the ATM's PC entirely. The PC thinks it is idle, while the dispenser happily ejects cash at the attacker's command.

2. Malicious File Execution (Software Jackpotting)

Here, attackers target the ATM's operating system, usually a hardened version of Windows XPe, 7, or 10.

• The Tactic: Attackers use an endoscope to reach internal USB ports without triggering visible alarms. They load a malware payload—often a variant of the notorious Ploutus or Cutlet Maker families—onto the system.
• The Result: The malware interacts with the legitimate XFS (eXtensions for Financial Services) middleware. It authenticates using a hardcoded master password or exploits a service vulnerability, allowing the attacker to navigate a hidden interface via the ATM's pin pad or keyboard to trigger withdrawals.

CVE and Vulnerability Context

While the FBI alert focuses on the impact, the root causes often lie in unpatched CVE-2021-26572 (inadequate access control on the dispenser interface) or the failure to restrict USB device enumeration at the BIOS/OS level. Many legacy ATMs still rely on weak BIOS passwords that are easily bypassed to boot from external media.

Detection and Threat Hunting

Detecting jackpotting requires a blend of physical security telemetry and endpoint monitoring. Since ATMs often run standard Windows endpoints, Security Arsenal recommends hunting for specific indicators of compromise (IOCs) on the thin-clients controlling the cash dispensers.

Hunt 1: Detecting Black Box Peripherals (KQL)

Use this KQL query in Microsoft Sentinel to hunt for the sudden appearance of unidentified USB or PnP devices that often mimic keyboard or hid inputs to control the dispenser.

DeviceEvents
| where ActionType == "PlugAndPlayDeviceConnected" 
| extend DeviceID = extract_all(@'DeviceId:\s+(.*?)\s+', tostring(AdditionalFields))
| where Timestamp > ago(7d)
| project Timestamp, DeviceName, ActionType, FriendlyName, DeviceID
| where isnotempty(FriendlyName)
| distinct FriendlyName

Hunt 2: Identifying Suspicious Service Manipulation (PowerShell)

Malware often stops or modifies legitimate XFS services to inject malicious commands. Run this PowerShell snippet on ATM images during audits to check for services configured with unauthorized "binPath" parameters pointing to temp directories.

Get-WmiObject -Class Win32_Service | Where-Object { 
    $_.PathName -match 'C:\Windows\Temp' -or 
    $_.PathName -match '%TEMP%' -or 
    $_.StartMode -eq 'Disabled' 
} | Select-Object Name, DisplayName, PathName, StartMode, State | Format-Table -AutoSize

Hunt 3: File System Anomalies (Bash)

For Linux-based ATMs or network-adjacent security sensors, scan for the creation of common jackpotting tool filenames in temporary directories.

find /mnt/atm-share -type f -iname "*cutlet*" -o -iname "*dispense*" -o -iname "*inject*" 2>/dev/null

Mitigation Strategies

The FBI's $20 million figure is a wake-up call. Basic hygiene is no longer sufficient. To harden your fleet against logical attacks:

1. Enforce BIOS/UEFI Locks: Ensure BIOS passwords are set to complex values and that the boot order is strictly restricted to the internal hard drive only. Disable USB booting entirely.
2. Application Whitelisting (AppControl): Implement strict allow-listing (e.g., AppLocker or Windows Defender Application Control) on ATM endpoints. Only signed, trusted XFS binaries should be permitted to execute.
3. Physical Port Blocking: Physically block unused USB ports using epoxy or port locks. For required ports, use hardware-level USB switches that require authorization to enable data transfer.
4. Network Segregation: Ensure ATMs are on a strictly isolated VLAN. They should not have unrestricted internet access. Monitor for any non-HTTPS or proprietary protocol traffic leaving the ATM segment.

Conclusion

The surge in jackpotting attacks proves that cybercriminals are evolving from digital theft to physical-logical hybrid warfare. The $20 million loss is not just a statistic; it represents a failure in the security stack that bridges the gap between the cyber realm and the physical world.

Security Arsenal is here to help you close that gap. Our Managed SOC services provide 24/7 monitoring for the endpoint anomalies that precede a jackpotting event. Don't let your assets become the next easy target.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub