“Who is watching the machines when the machines are the vault?” That question hangs over bank lobbies and retail plazas as a new FBI Flash alert reports that ATM “jackpotting” attacks cost banks an estimated $20 million in 2025 alone. The figure is staggering not only for its dollar value but for what it reveals: adversaries are turning physical cash points into programmable paydays, and the cost is being borne by institutions and, ultimately, the public.
Jackpotting is straightforward in concept and sophisticated in execution: attackers install malware or exploit hardware and software vulnerabilities to force an ATM to dispense all of its cash on command. The tactic has evolved from isolated heists into industrial-scale fraud, enabled by criminal marketplaces, commodified tooling, and gaps in supply-chain and maintenance practices. An FBI Flash alert—now being circulated to financial institutions and partners—highlights the scale and urgency of the problem. Law-enforcement advisories like this are designed to push timely mitigation, but they also confirm a broader reality: the risk landscape is as much about people and processes as it is about code and chips, and enforcement alone will not erase the incentive structure that makes such attacks attractive to criminals .
Background: how jackpotting works and why it spread
In early forms, jackpotting required physical tampering: criminals opened an ATM’s cabinet, connected a laptop, and triggered cash disbursements. Modern variants blend remote access, insider compromise, and supply-chain abuse. Attackers exploit unpatched operating systems, default or weak credentials on ATM management software, and insecure remote-management tools to deploy payloads that turn machines into cash sources. The result is rapid, low-risk exfiltration for those who can coordinate a strike and launder the proceeds.
The broader cybercrime ecosystem accelerates these attacks. Malware families and “how-to” kits circulate on underground forums; access-to-infrastructure services provide footholds; and social-engineering campaigns deliver credentials or privileged access. As one recent analysis of transnational cybercrime cases observed, the economics of digital extortion and fraud favor scalable operations that combine technical skill with marketized services—so dismantling named groups is necessary but insufficient to stop the underlying commerce of crime .
Current situation: the $20 million tally and immediate responses
The FBI’s notice places the 2025 losses at roughly $20 million from jackpotting incidents reported to authorities. That number reflects confirmed losses but likely understates the full scope: banks may underreport incidents to avoid reputational harm, and some cases are resolved privately or through insurance channels. Financial institutions, in turn, are receiving guidance on hardening ATMs: applying timely patches, enforcing strong credentials and multifactor authentication where possible, segmenting ATM management networks from corporate systems, and tightening physical security during maintenance operations.
Banks and industry groups are also leaning into information-sharing. Public-private partnerships and sector-specific Information Sharing and Analysis Centers (ISACs) provide forums for distributing indicators of compromise, attack patterns, and mitigation playbooks. Such cooperation is a necessary response, but its effectiveness depends on speed, completeness, and the willingness of institutions to share sensitive details that might invite scrutiny or customer concern.
Why this matters: beyond the headline number
- Operational risk: ATM networks are critical infrastructure for cash access. Large-scale jackpotting can cause service outages, cash shortages, and costly emergency responses.
- Financial exposure: direct losses hit banks’ bottom lines and can affect insurance markets and reserve calculations. Indirect costs—investigations, remediation, customer notifications, and regulatory fines—compound the damage.
- Public trust and access: reliance on ATMs remains significant for many communities and customers who prefer or need cash. Repeated attacks erode trust and can disproportionately harm underserved populations.
- Adversary incentives: jackpotting remains profitable. When tooling and tactics are commodified, the barrier to entry falls and attack frequency rises—creating a feedback loop that favors criminal innovation over defensive catch-up.
Multiple perspectives on the problem
Technologists: Security practitioners stress layered defenses. Recommendations include ensuring ATMs run supported operating systems, removing default accounts, applying device-level encryption and integrity checks, segregating management networks, and monitoring for anomalous withdrawal patterns. They also urge vendors and banks to adopt secure-by-design principles so that maintenance interfaces and remote-management protocols are not exploitable entry points.
Policymakers and regulators: Regulators face a balancing act—mandating baseline security standards can raise the cost of attacks but also impose compliance burdens on smaller institutions. Some analysts call for stronger reporting requirements so regulators can better aggregate attack data and coordinate responses; others push for incentives that accelerate upgrades at cash-strapped community banks.
Users and the public: Consumers rarely see the technical half of these incidents, but they feel the consequences in reduced access to cash or when banks pass costs along. Outreach and clear communication after incidents are essential to maintain confidence—yet institutions often struggle to be both transparent and legally prudent.
Adversaries: From the attacker’s vantage, jackpotting is efficient. It converts stored value in machines into immediately usable funds with minimal online traceability when combined with cash-outs and layering. The criminal calculus values quick monetization and low operational risk; where those conditions exist, attacks will continue to be attractive.
Challenges to mitigation
- Legacy systems: Many ATM fleets include aging hardware and software that are difficult or expensive to upgrade.
- Supply-chain exposure: Third-party maintenance and remote-management vendors can create weak links if their security posture is uneven.
- Information gaps: Underreporting and fragmented intelligence sharing slow collective learning and delay broader countermeasures.
- International enforcement limitations: Cross-border investigations are complex; takedowns and prosecutions matter, but they rarely eliminate the underlying market for tools and services that enable these crimes .
What institutions can do now
- Inventory and assess: map ATM fleets, identify unsupported devices, and prioritize upgrades for high-risk endpoints.
- Harden remotely accessible systems: eliminate default passwords, require multifactor authentication, and isolate management channels.
- Monitor and detect: deploy behavioral analytics to flag unusual cash-dispense patterns and integrate ATM telemetry into centralized security operations.
- Practice response: maintain playbooks for jackpotting incidents that coordinate operations, communications, and law-enforcement liaison.
Final analysis: a systemic problem needing systemic answers
The $20 million figure is an alarm bell, not a comprehensive ledger. It underscores that attackers will find and exploit weak links wherever value accumulates. Technical fixes—patching systems, improving authentication, and hardening networks—are necessary but not sufficient. The problem requires coordinated policy choices, sustained investment in legacy modernization, better incentives for threat reporting, and international law-enforcement cooperation to disrupt monetization networks.
As the FBI’s alert reminds institutions, rapid information sharing and operational hygiene can blunt immediate threats, but the structural drivers of cybercrime—profitability, commodification of tools, and asymmetric risk—remain. If history is any guide, each successful defense spurs new attacker innovation. So the question is not merely whether banks can stop the next jackpotting wave, but whether industry, regulators, and law enforcement can change the economics so that large-scale, low-risk cash-out operations become unprofitable. How long will we wait before the balance of incentives finally tips away from the criminals?
Source: https://www.infosecurity-magazine.com/news/jackpotting-surge-costs-banks-20m/
Additional reporting and context drawn from public analyses of cybercrime trends and recent law-enforcement advisories have highlighted the interplay of tactics, markets, and policy responses that shape this threat landscape .
