The FBI is warning Sacramento banks and retailers that the cash machines sitting in their lobbies and storefronts are increasingly becoming high-tech piñatas for organized crews who know exactly where to swing.
In a FLASH bulletin published Thursday, the bureau and its partners flagged a national surge in “ATM jackpotting,” a type of attack that blends on-site tampering with custom malware so machines spit out cash without a real transaction. The schemes are described as rapid, coordinated cash-out runs that go after both the guts of the machine and the Windows-based software that tells it when to pay up, according to IC3.gov. FBI Sacramento publicly amplified the warning in a social media post, urging local banks, retailers and law enforcement to follow the advisory and report anything suspicious, according to FBI Sacramento.
The scale is not small. Since 2020, federal agents say they have tracked about 1,900 jackpotting incidents nationwide, more than 700 of them in 2025 alone, with reported losses topping $20 million, according to IC3.gov. For Sacramento businesses that host stand-alone ATMs, that is a strong hint to take physical security and software hygiene seriously.
How the attacks work
According to the advisory, crews often start with something painfully simple: physical access. Attackers can use widely available generic keys to open an ATM’s maintenance panel, then get to the hard drive or ports inside.
From there, they may remove and copy the ATM’s hard drive, swap in a drive that is already loaded with malware, or plug in removable media loaded with malicious code. The FBI warns that the software can “dispense cash without a legitimate transaction” by exploiting the Windows operating system and the XFS layer that sends commands to ATM hardware, which lets criminals talk directly to the cash dispenser, according to IC3.gov.
Once the malware is in place, the crew can trigger rapid-fire withdrawals, often coordinating multiple machines and locations so the money is gone long before anyone realizes the ATM is not just “acting up.”
Prosecutions and scope
Federal prosecutors say this is not a handful of lone hackers experimenting on weekends. The technique has turned up in coordinated, multistate campaigns that produced multiple indictments and guilty pleas late last year and this month, with authorities tying many attacks to variants of the Ploutus malware. The U.S. Attorney’s Office for the District of Nebraska has described indictments from an ongoing national investigation and additional charges filed Jan. 26 that together name dozens of defendants, according to the U.S. Attorney’s Office for the District of Nebraska.
Similar prosecutions in Georgia and other states highlight how far the schemes have spread, according to the Middle District of Georgia.
What operators should do
The FBI bulletin is blunt that stopping jackpotting takes both better locks and better code. Recommended moves include:
- Change standard ATM locks and add tamper sensors.
- Install stronger physical barriers and higher-quality cameras around machines.
- Turn on device whitelisting and auditing for removable media.
- Use a cryptographically verified “gold image” for all ATM software deployments.
- Enable firmware integrity checks, disk encryption and extended log retention.
The advisory also suggests configuring ATMs to automatically shut down or go out of service when several red flags appear at once, the kind of pattern that points to a staged compromise in progress. Together, the steps are meant to disrupt each phase of a jackpotting job: gaining physical access, staging local malware and then sending undetected cash-dispense commands.
What customers and small businesses should watch for
For customers and merchants hosting ATMs, the FBI’s message is to trust your eyes. Things to watch for include:
- Open or damaged maintenance hatches or panels.
- Loose, unfamiliar or extra devices and cables attached to the machine.
- Unexpected “low cash” or “out of service” messages, especially if they persist.
- People loitering around ATMs at odd hours or repeatedly accessing panels.
If there are signs of tampering, the bulletin advises preserving surveillance footage, notifying the host bank or retailer right away, and reporting suspicious activity to local law enforcement. A directory of field offices and contacts is available through the FBI.
The advisory frames ATM jackpotting as an organized, lucrative crime that blends old-fashioned break-ins with tailored malware. With federal prosecutors rolling out multistate cases and the FBI pushing immediate defenses, banks, operators and local businesses are being told to treat ATM security as a front-line priority, not an afterthought.
