"They are doing this through ATM jackpotting - a cyber-physical attack in which crooks exploit physical and software vulnerabilities in ATMs to deploy malware that instructs the machine to dispense cash on demand without bank authorization. Of the 1,900 such incidents reported since 2020, more than 700 occurred in 2025 alone, according to a Thursday security alert [PDF]."
"Crims typically gain initial access via generic keys that open the ATM face, and then infect the machine with malware, either removing the ATM's hard drive and copying malware onto it before putting it back into the machine, or simply replacing the hard drive with one that's preloaded with ATM jackpotting code. Ploutus malware, which is commonly used in these attacks, exploits eXtensions for Financial Services (XFS), an open-standard API that ATMs, POS terminals, and similar devices that run banking applications use."
"The malware, however, allows the attackers to issue their own commands to XFS, bypass bank authorization, and instruct the ATM to dispense cash on demand. While these attacks don't hurt banking customers - unlike skimming, which steals people's card data and PINs - ATM jackpotting does cost financial institutions tens of millions of dollars in losses. Plus, these incidents are difficult to detect until after the cash is withdrawn."
More than $20 million was stolen from compromised ATMs last year through ATM jackpotting, a malware-assisted cyber-physical attack that has increased sharply. Approximately 1,900 such incidents occurred since 2020, with over 700 in 2025 alone. Attackers gain physical access with generic keys, remove or replace ATM hard drives, and install malware such as Ploutus. Ploutus abuses the XFS API to send unauthorized dispense commands, bypassing bank authorization. These attacks do not steal customer card data but inflict tens of millions in losses on financial institutions and are often detected only after cash is taken.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]