In 2010, the late security researcher Barnaby Jack stunned the Black Hat conference by making an ATM vomit cash on command. What was once a theatrical demonstration of vulnerability has now evolved into a massive criminal enterprise. The FBI has issued a security bulletin warning that “jackpotting” attacks are surging, with hackers stealing millions from financial institutions across the country.
A Growing Threat to Financial Infrastructure
The scale of these attacks reached a new peak in 2025. According to federal investigators, criminals targeted cash dispensers over 700 times last year alone, successfully netting more than $20 million. Unlike traditional skimming, which steals individual customer data, jackpotting targets the machine’s internal software to drain its entire cash reserve.
The Mechanics of a Digital Heist
Modern jackpotting is a sophisticated “hybrid” crime that requires both physical proximity and digital expertise.
- Physical Breach: Hackers often use generic master keys to unlock the ATM’s front panel, providing them direct access to the internal hardware and hard drives.
- Digital Execution: Once inside, they deploy specialized malware, such as Ploutus, which takes full control of the machine’s operations.
Exploiting the XFS Layer
The FBI highlights that malware like Ploutus is particularly dangerous because it targets the underlying Windows operating system used by most ATM manufacturers. Specifically, it compromises the extensions for financial services (XFS) software.
XFS is the critical communication bridge between the ATM’s software and its physical components, including the card reader, PIN pad, and cash dispenser. By manipulating this layer, hackers can command the machine to dispense large volumes of cash in minutes. Because these attacks bypass customer accounts entirely, they are often difficult to detect until a bank employee physically inspects the empty machine.
