'Jackpotting' Hits ATMs in the U.S.

Who would not want to win a Jackpot if it were extremely easy? It seems like hackers in the United States have found their method by “jackpotting” stand-alone ATMs. Back in January, the US Secret Service reported that ATMs were hit by hackers in all major regions of the country, and major media outlets believe that more than 1 million dollars were stolen. In fact, exactly a year ago, we published an article on the Ploutus ATM Trojan infection, where we talked about how this malware is used to sweep out ATMs in Latin America. And now it seems that it is finally America’s turn.

Although ATM jackpotting has been well known for a couple of years already, most of the affected ATMs were mostly located in Europe, Latin America, and Asia. For instance, in one such occurrence back in 2016 in Japan, a gang of criminals managed to steal USD 13 million from across Japan within two hours. However, the US seemed to be relatively immune to these types of attacks. So what has changed? Or why did the hackers suddenly decide to focus on the US AMTs? According to various news outlets and cyber security specialists, this transition must have been gradual. The assumption is that it was probably easier to get away after having robbed an ATM in specific Latin American, Asian or European countries. It might also be that the wave of recent jackpotting attacks in the US is more like a test ride, just to see how successful they could be in the new environment.

The biggest security concern at the moment is that the US Secret Service and the Federal financial crimes investigators believe that there might be more attacks planned across the entire country. And we are not talking just about those cases when the attackers have to physically be there. It is also very likely that they could install dormant malware on a handful of ATMs and then come back for them later. Therefore, such attack vector provides a new headache and more homework for security specialists who work for banks and other ATM owners: They have to figure out how to protect their property and funds from future attacks.

According to various reports, the attacks started back in December, and the Federal financial crimes investigators have since then notified ATM owners. Authorities first noticed that hackers were targeting ATMs after an unsuccessful attempt to rob off an ATM in D.C. As mentioned, since the beginning of these attacks, especially in the second half of January, the criminals still managed to cash out more than a million dollars, sending serious alarm signals to the security services.

It might be somewhat complicated to grasp the jackpotting concept if you are only used to virtual computer infections. However, technically there is no way for the criminals to affect ATM operating systems virtually because ATMs are not connected to the virtual network. All the ATMs that have suffered the attacks were stand-alone machines usually located at pharmacies, big-box retailers and drive-thru stations. Therefore, your usual malware infection methods do not work in this case, and the criminals need to look for other ways to take over the ATM operating systems.

So what do they do? Hackers pretend to be ATM technicians and approach their targets carrying technical equipment that could easily make other people think that they are the real deal. They attach their laptops or a mobile phone to the ATM, sync the machine’s hard disc with theirs and then upload the malicious program onto the ATMs system, successfully scrambling it. Once they have the system under their control, they literally hit the jackpot. This is also where the name of this technique comes from: when you hit the jackpot, your “money” starts flowing like a torrential rain, and a similar thing happens when ATMs get hit with this infection. An ATM affected by this infection can literally cough up more than 100 bills a minute, making it look like a sad jackpot machine.

Thus, as you can see, unless hackers have physical access to the target machine, they cannot upload the malware. It is still not clear which malicious infection they use to compromise the operating systems, but security experts suggest that it could be the Ploutus.D Trojan that was used to attack AMTs in Latin America from 2013 to 2016. Various reports say that this infection was then used together with Kalignite ATM platform, thus allowing to apply this infection in 80 countries. Still, more in-depth research on the affected machines is necessary to determine whether hackers really used the said ATM malware.

Aside from the infection details, it is also important to emphasize that regular consumers should not be concerned with these attacks. Since jackpotting is more about attacking single ATMs rather than the entire banking network, these attacks cannot dent your savings or affect your financial security in any way. Of course, it might end up being quite annoying if you stop by an ATM for some cash, and it turns out that the said AMT was swept out clean by the criminals, but what are the chances?

In fact, the ones who should do something about these attacks are the ATM owners and security firms that are hired to protect those ATMs. Security experts urge banks and other firms that operate countless ATMs to invest in upgrading the operating systems within the machines. Reportedly, some of those systems could be more than 17 years old (like Windows XP), so it should not be surprising that criminals are able to override them. Also, something should be done about the physical access. Owners should take measures to prevent it: monitoring an ATM would probably make it slightly difficult to approach it.

We are sure that this story is still far from over, and there will definitely be further developments that we can look forward to. It is also very likely that such attacks will spur new developments in ATM and financial security areas.

In non-techie terms:

Criminals are using malware to “jackpot” ATMs in the United States and around the world. This criminal activity is more dangerous for banks and ATM owners, and regular ATM users should not be concerned about it. However, the fact that jackpotting was spotted in the United States means that the criminal ring is expanding their activities, and more companies and banks could be hit by the attacks soon. Hence, it is important that financial companies implement new security measures as soon as possible.


  1. Andrew Blake. Hackers target ATMs, stealing more than a million dollars in ‘jackpotting’ attacks: Secret Service. Washington Times.
  2. Lauren Goode. ‘Jackpotting attacks are now hitting US ATMs, report says. The Verge.
  3. Brian Krebs. First ‘Jackpotting’ Attacks Hit U.S. ATMs. Krebs on Security.
  4. Alix Langone. Everything You Need to Know About ‘Jackpotting,’ a New Cyber Attack Targeting ATMs. TIME.
  5. Selena Larson. Hackers bring ATM ‘jackpotting’ to the U.S. CNN.
  6. Daniel Regalado. New Variant of Ploutus ATM Malware Observed in the Wild in Latin America. FireEye.
  7. Nick Whigham. Hackers are making ATMs spit out cash as ‘jackpotting’ attacks spread to US. News.Com.Au.