DOJ Charges 54 in $40 Million ATM Jackpotting Scheme Linked to Venezuelan Gang

The U.S. Department of Justice has charged 54 individuals in connection with a sophisticated ATM jackpotting operation that used Ploutus malware to steal more than $40.73 million from cash machines across the United States. Twenty-two of those charged are alleged members of Tren de Aragua, a Venezuelan criminal organization that the State Department designated as a foreign terrorist organization earlier this year.

TL;DR

• What happened: DOJ indicted 54 people for ATM jackpotting attacks using Ploutus malware, stealing $40.73M since 2021
• Who's affected: Financial institutions operating ATMs across the United States
• Severity: High - organized crime operation with terrorist organization designation
• Action required: Financial institutions should review ATM physical security and XFS middleware configurations

What is Ploutus Malware?

Ploutus is ATM-specific malware that has been active since 2013, when it first emerged targeting banks in Mexico. The malware exploits the Extensions for Financial Services (XFS) middleware—a standard interface that allows Windows-based ATM software to communicate with peripheral devices like cash dispensers.

Once installed on a compromised ATM, Ploutus allows attackers to:

• Dispense cash on demand through keyboard commands or external triggers
• Bypass the normal transaction authorization process entirely
• Operate without requiring stolen card data or PIN numbers
• Control the ATM remotely in some variants

The attack typically requires physical access to the ATM's internals. Criminals gain entry by drilling holes, using stolen maintenance keys, or exploiting poor physical security at standalone machines.

How the Scheme Worked

According to court documents, the operation followed a coordinated pattern:

1. Teams would identify vulnerable ATMs, often standalone machines at convenience stores or gas stations
2. Operatives gained physical access to the ATM's computer, typically by opening the top hat (the display portion) which often has weaker security than the safe
3. They connected external devices—usually keyboards or phones—to input commands directly to the XFS layer
4. The malware forced the dispenser to eject cash at maximum speed, up to 40 bills every 20 seconds
5. "Money mules" collected the cash and transferred funds through various channels

The indictment describes a well-organized operation with specialized roles: technical operators who installed the malware, collectors who grabbed the dispensed cash, and financial handlers who laundered the proceeds.

The Tren de Aragua Connection

Tren de Aragua (TdA) began as a prison gang in Venezuela's Aragua state and has expanded into a transnational criminal organization operating across South America, Central America, and now the United States. The State Department designated TdA as a Transnational Criminal Organization in July 2024 and upgraded that designation to Foreign Terrorist Organization in 2025.

The gang's involvement in ATM jackpotting represents a diversification of their criminal portfolio, which also includes human trafficking, drug smuggling, extortion, and contract killings. Law enforcement sources indicate that technical expertise for the ATM operations may have been contracted from Eastern European cybercriminal networks.

Why This Matters

This case illustrates how traditional organized crime groups are adopting cyber-enabled attack methods. The financial sector has invested billions in securing card transactions and online banking, but physical ATM attacks exploiting legacy software remain a persistent vulnerability.

Most ATMs still run on Windows—many on outdated versions like Windows 7 or even XP. The XFS middleware standard, while enabling interoperability, also creates a known attack surface that malware authors have targeted for over a decade. Patching individual ATMs remains logistically challenging for financial institutions managing thousands of machines across wide geographic areas.

The involvement of a designated terrorist organization adds another dimension. Financial institutions may face increased regulatory scrutiny under anti-money laundering and counter-terrorism financing frameworks.

Recommended Mitigations

1. Harden physical security - Install tamper detection sensors, use encrypted hard drives, and restrict access to ATM internals
2. Update ATM software - Migrate away from end-of-life Windows versions where possible
3. Implement application whitelisting - Prevent unauthorized executables from running on ATM systems
4. Deploy endpoint protection - Use ATM-specific security solutions that monitor for XFS manipulation
5. Monitor for anomalies - Track unusual dispensing patterns or out-of-hours activity

Frequently Asked Questions

How do I know if an ATM has been compromised with jackpotting malware?

End users generally can't detect jackpotting malware—it operates below the customer interface level. Financial institutions monitor for signs like unusual dispensing volumes, transactions that don't match customer activity, or physical evidence of tampering.

Is my bank account at risk from ATM jackpotting?

Jackpotting attacks steal cash directly from the machine, not from customer accounts. The financial loss falls on the institution operating the ATM, not individual account holders.

What's different about this case compared to typical ATM fraud?

Traditional ATM fraud involves skimming card data or stealing PINs. Jackpotting bypasses customer credentials entirely—the malware forces the machine to dispense cash without any card or transaction authorization.