Banks across the United States are grappling with a wave of physical malware attacks on their ATMs, according to a new cybersecurity alert from the Federal Bureau of Investigation. The agency's report warns that attackers are bypassing both digital and physical safeguards by exploiting outdated technology and generic maintenance hardware found in many cash machines. Attackers gain access by opening the maintenance cabinets – often with widely available universal keys – to access their storage drives. Once inside, they either load new malware or swap the original drive for a pre-infected one.
After restarting the terminal, the malicious code executes automatically, allowing the attacker to seize control of the machine's systems. One of the most common tools used in these operations is Ploutus, a malware strain first detected several years ago that remains effective due to its deep integration with ATM infrastructure.
Rather than breaking through network firewalls or online banking systems, Ploutus exploits the eXtensions for Financial Services (XFS) software layer used by ATMs to relay commands to bank networks. This middleware acts as the translator between the ATM's operating system – most commonly Windows – and the bank's authorization servers. By issuing its own instructions directly to XFS, Ploutus bypasses legitimate transaction checks entirely, enabling what investigators call jackpotting: forcing the ATM to dispense cash without any card, code, or verified account.
The FBI said that the frequency of such attacks has risen dramatically. Of roughly 1,900 reported jackpotting incidents since 2020, about 700 occurred in 2025 alone, with financial losses exceeding $20 million. The threat is not limited to any specific ATM brand or bank network, largely because most ATMs still run Windows, often on older versions no longer receiving regular security patches.
Many machines, for instance, continue operating on Windows 7 – a system released in 2009 and retired from mainstream support more than a decade later. The FBI's warning highlights that attackers can exploit vulnerabilities in these aging operating systems across a wide range of hardware before administrators can deploy fixes.
The Bureau's recommended countermeasures focus on both physical and digital lockdowns. Banks are urged to monitor ATM file systems for unauthorized executables, disable unused USB ports, replace generic key locks with keypad access controls, and install additional alarm systems to detect tampering. However, with hundreds of thousands of ATMs spread across the country, upgrading and securing them all will take time.