Ploutus Malware Drains U.S. ATMs Without a Card or Account — FBI Issues Emergency FLASH Alert

A 19 February 2026 FBI FLASH (FLASH-20260219-001) warns banks and ATM operators about a rise in malware-enabled “jackpotting,” where criminals exploit physical access and software gaps to make machines pay out cash without a real transaction, a pattern now seen across the United States.

The alert focuses on Ploutus, an ATM-targeting malware family that abuses eXtensions for Financial Services (XFS), the software layer that tells dispenser hardware what to do.

In a normal withdrawal the ATM app sends XFS commands for bank approval, but Ploutus lets an intruder issue commands and bypass authorization.

The Federal Bureau of Investigation (FBI) analysts noted the activity while compiling indicators of compromise and other technical details to help organizations respond, reporting that more than 700 of roughly 1,900 jackpotting incidents since 2020 occurred in 2025 and produced over $20 million in losses.

Unlike fraud that steals card data, Ploutus attacks the ATM itself and can dispense cash without a bank card, customer account, or bank approval, so cash-out can happen in minutes.

Howeverm it may not be spotted until the machine is low on cash, and many crews begin by opening the ATM face with widely available generic keys.

Infection mechanism and on-box control

Once physical access is gained, attackers may pull the hard drive, connect it to another computer, copy the malware, reinstall it, and reboot, or they may swap in a foreign drive or external device that already carries the payload, sometimes alongside a plugged-in USB hub or keyboard.

Since many ATMs run Windows, the same approach can be adapted across different manufacturers with only small code changes, and the malicious program talks directly to hardware through XFS, so it may work even when the ATM is offline and network alerts stay quiet.

To stay in place and hide, responders should look for unexpected executables such as Newage.exe, NCRApp.exe, WinMonitor.exe, or sdelete.exe, new folders under paths like C:UsersSSAuto1AppDataLocalP, unauthorized remote tools like AnyDesk or TeamViewer, and registry autoruns or custom services with generic names like “ATM Service” and “Dispenser Service.”

The FBI recommends changing standard locks, adding tamper sensors and camera coverage, enabling disk encryption and hardware device whitelisting.

Validating each ATM against a trusted gold image and baseline hashes, and turning on targeted Windows auditing so USB insertion, file writes, process creation, and log clearing (Event IDs 6416, 4663, 4688, 1102) can be correlated, then report suspected jackpotting to a local FBI field office or IC3.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.