My financial institution has changed, but why?
Associated Bank has earned years of loyalty and satisfaction through our ability to truly understand our customers’ needs.
Video provided by BR Studio for partner banks
The FBI is warning of an increase in cybercrime in which thieves remotely withdraw money from automated teller machines.
This practice, called “ATM jackpotting” by the FBI, occurs when thieves use malware to allow them to withdraw money from machines whenever they want.
The FBI on Thursday, Feb. 19, issued a warning to financial institutions to inform them about the recent increase in jackpot incidents, saying at least 1,900 “ATM jackpot” incidents have been reported over the past six years.
“Of the 1,900 ATM jackpot incidents reported since 2020, more than 700 occurred in 2025 alone, resulting in losses exceeding $20 million,” the FBI wrote in the warning.
Just last week, a federal grand jury in the District of Nebraska indicted six people for their alleged involvement in the “ATM Jackpot” scheme. According to the U.S. Department of Justice, the defendants deployed the malware to “steal millions of dollars from ATMs in the United States.”
They were charged with conspiracy to commit bank fraud, conspiracy to commit bank robbery and computer fraud, bank fraud, bank robbery, and computer damage.
Here’s what the FBI said in its latest warning about “ATM jackpots” and what financial institutions should be aware of:
How does an “ATM jackpot” work?
The FBI said in the alert that actors are using malware such as the Ploutus family of malware to infect ATMs and withdraw cash from them. According to the FBI, the malware infects software that directs ATMs to perform physical operations.
If the ATM is functioning properly, the ATM application sends instructions for bank authentication through the software. According to the FBI, if criminals can send their own commands to the software, they can bypass bank approval and instruct ATMs to withdraw cash.
Essentially, the software allows criminals to withdraw cash from ATMs without a bank card, customer account, or bank authorization, the FBI said.
“It gives (thieves) direct control over the machine,” the FBI wrote in the notice, adding that the malware attacked the ATM itself, not customer accounts.
According to the FBI, thieves have discovered multiple ways to install malware on ATMs, including:
- Remove the machine’s hard drive, connect it to a computer, copy the malware to the hard drive, put the hard drive back into the ATM, and restart the ATM.
- Remove the ATM’s hard drive, replace it with an external hard drive or other external device that is preloaded with malware, and restart the ATM.
How do banks and credit unions know that their ATMs are infected?
The FBI said in its warning that, based on past ATM attacks investigated by the bureau, there are red flags that banks and credit unions can look for to discover infected machines.
Digital and physical signs of tampering include:
- Unexpected executable files on your hard drive, such as Newage.exe, Color.exe, and WinMonitor.exe.
- Associated files and scripts such as C.dat, Restaurar.bat, and Logcontrol.txt.
- A new directory, such as C:\Users\SSAuto1\AppData\Local\P\.
- Security log records showing USB insertion events and newly connected external devices.
- Alerts about the ATM door being opened outside of scheduled maintenance, or alerts about removing the hard drive from the ATM.
What to do if you need to report an “ATM jackpot”
The FBI said anyone who needs to report suspicious or criminal activity can report the situation to their local FBI field office (www.fbi.gov/contact-us/field-offices) or the FBI Internet Crime Complaint Center (www.ic3.gov).
Those reporting jackpotting must provide the bank name, branch, location, and contact information, as well as the ATM make and model, vendor name and contact information, and available logs.
Saleen Martin is a reporter for USA TODAY’s NOW team. She is from Norfolk, Virginia (757). Email sdmartin@usatoday.com.
