FBI warns of rising malware-enabled ATM “jackpotting” attacks

The FBI released an IC3 FLASH advisory on February 19, 2026, warning of an increase in malware-enabled ATM “jackpotting” incidents across the U.S. The bureau says the alert is meant to distribute technical details and indicators of compromise (IOCs) so banks, ATM operators, and service providers can harden machines and spot compromises earlier.

The scale is not trivial. The FBI says that out of 1,900 jackpotting incidents reported since 2020, more than 700, with over $20 million in losses, occurred in 2025 alone.

What “ATM jackpotting” is in this advisory

In jackpotting, criminals don’t need to steal card data or drain customer accounts. Instead, they aim at the ATM itself, using malware to force the machine to dispense cash without a legitimate transaction. The FBI frames these events as fast “cash-out” operations that may only be noticed after the money is already gone.

Ploutus and the role of XFS

The advisory points to jackpotting malware, including the Ploutus family. The FBI says Ploutus targets eXtensions for Financial Services (XFS)... the software layer that tells the ATM hardware what actions to perform. In a normal flow, the ATM application sends commands through XFS as part of a transaction that requires bank authorization. If an attacker can issue their own commands to XFS, the FBI says they can bypass authorization entirely and instruct the ATM to dispense cash on demand.

Common infection paths: physical access comes first

The FBI’s write-up emphasizes that many attacks start with physical access, often by opening an ATM face using widely available generic keys. From there, the FBI lists common deployment methods, including removing the hard drive, copying malware onto it using another computer, reinstalling it, and rebooting the ATM,or swapping the drive with a “foreign” drive or external device preloaded with malware before rebooting.

Why Windows-based ATMs are in scope

The FBI says the malware can be used across different ATM manufacturers with relatively little adjustment because the compromise exploits the Windows operating system on affected ATMs. The malware is described as interacting directly with ATM hardware and dispensing cash without requiring access to a bank customer account.

IOCs, the FBI says defenders should look for

The advisory lists a range of digital indicators observed on affected ATMs running Windows, including suspicious executables such as Newage.exe, Color.exe, Levantaito.exe, NCRApp.exe, sdelete.exe, Promo.exe, WinMonitor.exe, WinMonitorCheck.exe, Anydesk1.exe, plus associated files/scripts like C.dat and Restaurar.bat, and newly created directories. It also includes multiple MD5 hashes tied to observed artifacts.

Beyond file artifacts, the FBI flags potential abuse of remote access tools (for example, unauthorized TeamViewer/AnyDesk) and looks for unusual persistence via abnormal autoruns and custom services under Windows registry/service locations.

Physical/log indicators that can reveal staging

Because jackpotting often involves onsite tampering, the FBI also calls out “physical interaction indicators,” including USB insertion events and detection of connected devices like USB keyboards, USB hubs, and flash drives. Operational red flags include ATM door-open alerts outside maintenance windows, unexpected low/no-cash states, unauthorized devices connected, and hard drive removal.

Mitigation guidance: “gold images,” removable media auditing, and layered physical controls

One of the most actionable sections is the FBI’s emphasis on baselining and integrity: it recommends validating ATM files/hashes against a controlled “gold image” and treating deviations, especially unsigned or newly introduced binaries, as potential compromise.

The FBI also recommends a targeted audit policy around removable storage usage, controlled file access, and process creation to detect staging activity that can evade network monitoring.

On the physical side, the FBI’s advice is straightforward: make it harder to get into the machine and easier to spot tampering. That includes upgrading locks so generic keys won’t work, adding alarms for service panels, using sensors to detect unusual movement or heat, limiting access to the cashbox, and ensuring cameras properly cover the ATM, with footage retained long enough to be useful.

It also mentions hardening steps like device whitelisting to block unauthorized hardware connections, firmware integrity checks (including TPM-based integrity checks at boot), and disk encryption to reduce the chance that malware can be introduced by removing and modifying a drive outside the machine.

What the FBI asks organizations to report

For incident reporting, the FBI encourages organizations to contact their local FBI field office or submit through IC3, and it requests practical details such as bank/branch identifiers, ATM make/model, vendor info, and available logging.