ATM Jackpotting Trends: $20M Losses Driven by Legacy Exploits

ATM jackpotting, also known as logical attacks, involves the unauthorized use of software or external hardware to command an Automated Teller Machine (ATM) to dispense its entire cash reserve. According to Dark Reading, these attacks experienced a significant resurgence in 2025, accounting for more than $20 million in losses globally. Despite the antiquity of the methods used—many of which have been documented for over a decade—the financial sector continues to struggle with securing the physical and logical interfaces of cash-dispensing hardware.

Technical Analysis of Jackpotting Vectors

The persistence of jackpotting is largely attributed to the slow lifecycle of ATM hardware and the continued reliance on outdated operating systems. There are two primary categories of jackpotting: malware-based attacks and black-box attacks.

Malware-Based Attacks

In these scenarios, threat actors gain physical access to the ATM’s internal computer (the “top box”) via keys or physical force. Once accessed, they inject malware into the system through USB ports or other peripheral interfaces. Common malware families, such as Ploutus, WinPot, and Cutlet Maker, target the eXtensions for Financial Services (XFS) middleware. XFS is a standard API that allows the software to communicate with the dispenser. By sending commands through this layer, the malware bypasses the banking application entirely to trigger cash dispensing. These tools are frequently updated to bypass specific antivirus solutions but the core mechanism remains the same as those seen as early as 2013.

Black Box Attacks

Black box attacks are a form of hardware-based jackpotting where the attacker physically disconnects the ATM’s dispenser from the internal PC. They then connect a “black box”—often a modified laptop or a single-board computer like a Raspberry Pi—directly to the dispenser’s controller. This device sends unauthorized dispense commands directly to the hardware. Because the ATM’s main computer is bypassed, the banking software is unaware that a transaction is occurring, and no logs are generated within the central banking system. This method is particularly effective against older machines that lack hardware-level authentication.

Drivers of the 2025 Surge

The 2025 surge highlights a systemic failure to address long-standing vulnerabilities. Several factors contribute to this trend:

• Legacy Infrastructure: Many ATMs still run on Windows 7 or even Windows XP, leaving them vulnerable to known exploits that have remained unpatched for years. The lack of support for modern security features in these operating systems makes them soft targets for logical attacks.
• Weak Physical Controls: Standardized physical keys for ATM enclosures are often leaked or sold on the dark web, allowing attackers easy access to the internal hardware without specialized tools.
• Lack of Protocol Encryption: In many older ATM models, the communication between the PC and the dispenser is unencrypted. This lack of authentication allows black-box devices to masquerade as the legitimate host without being detected by the dispenser controller.

Mitigation and Defensive Priorities

To combat the rising threat of logical attacks, financial institutions must prioritize hardware hardening and network monitoring over simple software patches.

Hardware and Logical Hardening

• Encrypted Communication: Implementing Transport Layer Security (TLS) or proprietary encryption between the ATM PC and the dispenser unit is the most effective defense against black box attacks. This ensures the dispenser only accepts commands from a trusted, authenticated source.
• BIOS and Boot Security: Password-protecting the BIOS and disabling booting from external USB or CD/DVD drives prevents the initial execution of malware during the boot sequence.
• Full Disk Encryption: Utilizing tools such as BitLocker prevents attackers from tampering with the file system offline if the hard drive is removed or accessed via an external OS.

Physical and Environmental Controls

• Enhanced Monitoring: Integrating vibration and tilt sensors can alert security teams to physical tampering attempts in real-time, often before the attacker can access the top-box electronics.
• Unique Key Management: Moving away from universal keys for top-box access reduces the risk of mass compromise through stolen or replicated keys. Implementing electronic locks with one-time codes (OTC) for maintenance personnel is a recommended best practice.

Defenders must recognize that jackpotting is not a sophisticated zero-day threat but a failure of basic security hygiene and physical perimeter defense. As long as legacy systems remain in the field without authenticated hardware communication, these attacks will continue to yield high returns for criminal organizations.