WASHINGTON — The FBI is sounding the alarm on a fast-growing wave of ATM attacks that look like magic to bystanders and feel like a nightmare to banks: criminals are infecting cash machines with malware and forcing them to “jackpot”—spitting out money on command in a matter of minutes. In a new FBI FLASH alert, officials say they have tracked about 1,900 malware-enabled ATM jackpotting incidents since 2020, with more than 700 incidents in 2025 alone totaling over $20 million in losses.

At the center of the warning is Ploutus, a well-known family of ATM malware. The FBI says Ploutus targets the Windows-based software stack used by many ATMs and abuses eXtensions for Financial Services (XFS)—the middleware that tells an ATM’s physical components what to do (card reader, keypad, sensors, and crucially, the cash dispenser). If an attacker can issue commands through XFS, they can bypass bank authorization entirely and instruct the machine to dispense cash “on demand.”

Critically, the FBI emphasizes that these attacks hit the ATM itself, not customer accounts—meaning the thieves aren’t typically draining your checking account with your PIN. Instead, the bank or ATM operator takes the immediate loss because the cash is dispensed without a legitimate transaction ever being approved.

So how are criminals getting malware onto machines that are supposed to be locked down? The FBI describes a pattern that blends physical access with digital compromise: attackers often use widely available generic keys to open the ATM’s front panel, then remove the hard drive, load malware, and reinstall it—or swap in a “foreign” drive or external device preloaded with malicious software—before rebooting the ATM.

How can you tell if an ATM might be compromised? Jackpotting is designed to be quick and quiet, but it often requires tampering. Red flags include: a front panel that looks misaligned or freshly opened; unusual screws, scratches, or pry marks; unexpected “Out of Service” screens; rebooting behavior; or any visible sign that someone accessed the machine’s internal ports. The FBI specifically calls out signs consistent with unauthorized device access (for example, evidence that a foreign device was connected), urging the public to report suspicious activity.

Is your bank account safe? From jackpotting alone, generally yes—because Ploutus-style attacks don’t need your card, your PIN, or your account. However, consumers should not confuse jackpotting with skimming, which does target card data. The safest habits remain the same: use ATMs inside bank branches when possible, avoid machines with anything that looks altered around the card slot or keypad, cover the keypad while entering your PIN, and enable transaction alerts so you’ll spot suspicious withdrawals quickly.

For banks, the message is harsher: the era of “just lock the box” is over. The FBI’s alert underscores that modern ATM crime is now a hybrid operation—physical intrusion plus malware—moving at the speed of an organized crew that can empty a machine before anyone realizes it’s been turned into a cash printer.