Federal investigators are sounding the alarm on a rapidly escalating cybercrime threat that is costing financial institutions millions of dollars: ATM jackpotting. The FBI has issued warnings that these attacks — in which hackers force automated teller machines to dispense all their cash on command — have surged dramatically, with criminal syndicates refining their methods and expanding their geographic reach across the United States.
According to TechCrunch, the FBI has confirmed that ATM jackpotting attacks are on the rise and have netted hackers millions in stolen cash. The bureau’s warning highlights a troubling trend: what was once considered a niche form of cybercrime primarily concentrated in Europe and Asia has now firmly established itself on American soil, with organized criminal groups deploying increasingly sophisticated techniques to compromise ATM hardware and software.
How Jackpotting Works: Malware, Black Boxes, and Insider Knowledge
ATM jackpotting generally falls into two categories: malware-based attacks and so-called “black box” attacks. In malware-based jackpotting, criminals gain physical access to an ATM’s internal computer — often by picking locks or using stolen maintenance keys — and install malicious software that overrides the machine’s cash-dispensing controls. Once the malware is loaded, an accomplice can approach the ATM and trigger a massive payout using a specific sequence of commands, sometimes dispensing hundreds of bills per minute.
Black box attacks take a different approach. Instead of installing software on the ATM’s own computer, attackers disconnect the machine’s internal cash dispenser from its main board and attach an external device — the “black box” — that sends direct commands to the dispenser. This method bypasses the ATM’s operating system entirely, making it harder for traditional security software to detect. In both cases, the attacks typically require some degree of physical access and technical knowledge of ATM architecture, which investigators say points to well-organized criminal networks rather than lone opportunists.
The Scale of the Problem: Millions Lost and Counting
The financial toll has been staggering. As reported by TechCrunch, the FBI’s assessment indicates that hackers have stolen millions of dollars through these schemes. Individual ATMs can hold anywhere from $20,000 to $250,000 in cash depending on their location and type, meaning a single successful attack on a high-value machine can yield a substantial payday. When criminal groups hit multiple machines in coordinated strikes — sometimes targeting dozens of ATMs across several states in a single weekend — the cumulative losses quickly become enormous.
Financial institutions have historically been reluctant to disclose the full extent of jackpotting losses, partly out of concern that publicizing vulnerabilities could embolden additional attackers. But the FBI’s decision to issue a public warning suggests that the problem has grown too large to address quietly. Law enforcement officials have indicated that the attacks are not isolated incidents but part of a sustained campaign by transnational criminal organizations that recruit local operatives — often referred to as “money mules” — to physically carry out the cash extractions.
A Global Threat That Has Come Home
ATM jackpotting first gained widespread attention in 2010 when the late security researcher Barnaby Jack demonstrated a live hack at the Black Hat security conference, forcing an ATM on stage to spit out bills in what he memorably called “Jackpotting.” The demonstration was a watershed moment for the ATM security industry, but in the years that followed, most of the real-world attacks occurred overseas. European and Latin American banks bore the brunt of jackpotting campaigns, with Europol and other international agencies tracking organized rings operating across multiple countries.
The United States was long considered a harder target, in part because many American ATMs had transitioned to more modern operating systems and because the country’s sprawling geography made coordinated physical attacks logistically challenging. But that calculus has shifted. The Secret Service first warned U.S. financial institutions about domestic jackpotting attacks in January 2018, and the frequency has only increased since then. Criminals have adapted their techniques to target specific ATM models popular in the American market, and the availability of jackpotting malware on dark web forums has lowered the barrier to entry for aspiring attackers.
Aging Infrastructure and Software Vulnerabilities
One of the factors fueling the rise in jackpotting is the aging infrastructure of the American ATM fleet. Many machines still run on outdated operating systems, including versions of Windows that Microsoft no longer supports with security patches. This creates a fertile environment for malware deployment. ATM manufacturers such as Diebold Nixdorf and NCR have issued repeated advisories urging operators to update their machines, but the cost of upgrading or replacing ATMs — which can run $30,000 to $60,000 per unit — has led many smaller banks, credit unions, and independent ATM operators to delay necessary improvements.
The problem is compounded by the physical security shortcomings of many ATM installations. Stand-alone machines in convenience stores, gas stations, and other retail locations are particularly vulnerable because they are often left unmonitored for extended periods. Criminals can work on these machines for several minutes without attracting attention, giving them ample time to access internal components. Even bank-owned ATMs in vestibules and drive-through lanes have proven susceptible when security cameras are poorly positioned or when alarm systems fail to detect unauthorized access to the machine’s cabinet.
Law Enforcement Response and Industry Countermeasures
The FBI and Secret Service have both stepped up their efforts to combat jackpotting, working with international partners to identify and dismantle the criminal networks behind the attacks. Several arrests have been made in recent years, including cases involving suspects linked to organized crime groups operating out of Eastern Europe and Latin America. But investigators acknowledge that prosecution is difficult: the cash-based nature of the crime leaves fewer digital traces than other forms of cybercrime, and the use of disposable operatives makes it hard to reach the masterminds behind the schemes.
On the industry side, ATM manufacturers and financial institutions are deploying a range of countermeasures. These include enhanced encryption for communications between ATM components, hard drive protections that prevent unauthorized software from being installed, and physical security upgrades such as tamper-detection sensors and reinforced cabinets. Some operators have also begun implementing real-time monitoring systems that can detect anomalous dispensing patterns and shut down a compromised machine before significant cash is lost. Diebold Nixdorf, one of the world’s largest ATM manufacturers, has published detailed guidance for its customers on hardening machines against jackpotting, including recommendations for firmware updates and physical security best practices.
The Human Element: Recruiting and Deploying Cash Mules
A critical component of jackpotting operations is the human infrastructure required to execute them. The technical masterminds who develop or procure the malware and black box devices rarely appear at the ATM themselves. Instead, they recruit networks of cash mules — individuals who are paid to physically access the machines, install the attack hardware or software, and collect the dispensed cash. These mules are often recruited through social media, encrypted messaging platforms, or dark web forums, and they may not fully understand the scope of the operation they are participating in.
Law enforcement officials say that mule recruitment has become increasingly sophisticated, with some criminal organizations offering detailed instructional videos and remote technical support to guide operatives through the attack process. This “crime as a service” model has made jackpotting accessible to a broader range of criminal actors, even those without deep technical expertise. The mules themselves face significant legal risk — federal charges related to ATM fraud can carry sentences of 20 years or more — but the promise of quick cash continues to attract recruits, particularly among younger individuals in economically disadvantaged communities.
What Banks and Consumers Should Know Going Forward
For financial institutions, the FBI’s warning should serve as an urgent call to audit ATM security practices from top to bottom. This means not only updating software and firmware but also reassessing the physical security of every machine in their fleet, particularly those in remote or low-traffic locations. Industry experts recommend that banks conduct regular penetration testing of their ATM networks and establish protocols for rapid response when suspicious activity is detected.
For consumers, the good news is that jackpotting attacks do not directly compromise individual bank accounts or debit cards — the stolen cash comes from the ATM operator’s reserves, not from customer deposits. However, the broader financial impact of these attacks can ripple through the banking system in the form of higher fees, reduced ATM availability, and increased costs that are ultimately passed on to customers. As criminal organizations continue to refine their methods and expand their operations, the race between attackers and defenders shows no signs of slowing down. The FBI’s public acknowledgment of the threat’s scale is a clear signal that the era of ATM jackpotting as a fringe concern is over — it is now a mainstream challenge for the American financial system.