ATM Jackpotting

Austin Kanarr
| 5/3/2018
Stop the money mules

Attacks on automated teller machines (ATMs) started hitting the United States in late January 2018. Known as ATM jackpotting, the attack features a malicious string of malware that allows thieves to turn ATMs into slot machine-type “jackpots.” Once hacked, machines start spitting out money and don’t stop until they’re empty. This high-level overview describes the intricacies of ATM jackpotting and suggests countermeasures to protect ATMs.

The Current Threat

The "ATM jackpotting" attack is not new to the cybersecurity world. Researchers at Symantec first spotted the malware in Mexico in 2013. In that event, attackers used either an external keyboard or SMS text messaging to send commands to a compromised ATM.

The current threat targets older, front-loaded Diebold ATM models Opteva 500 and 700. Diebold’s back-loaded ATM models are much harder to exploit physically because of the location of the internal components. However, FireEye researcher Daniel Regalado also warns the malware could easily be customized to exploit other models and manufacturers that use the Kalignite multivendor platform.

The Attack Vector

Compromising an ATM is not an easy feat. In order to compromise ATMs and later exploit them, attackers must first gain physical access without looking suspicious or being caught. Because U.S. ATMs generally have stronger physical security controls, such as security cameras, the attack has taken its time in reaching the United States. An attacker is most likely to attempt ATM jackpotting on a machine with the least amount of foot traffic and security controls.

Jackpotting thieves attempt to use a variety of methods to identify vulnerable targets and weasel their way in. They have been known to use various social engineering tactics to their advantage, such as posing as maintenance or technical contractors to perform regular checkups on ATMs. From there, the attackers have to gain access to the inner workings of the ATMs by either using a stolen key, a picklock, or an industrial USB-endoscope, or by cutting into the machine. Once they gain physical access into the machine, attackers connect a device, such as small laptop, phone, or electronic device, and inject malware known as “Ploutus.D.”

After the malware is loaded, attackers can send one or more of their members known as “money mules” to exploit compromised ATMs and collect the cash. Money mules can initiate the exploit using a specific code provided by their boss or attack leader. After ATMs are emptied of all their cash, the money mule or the fake technician removes their devices so as not to leave physical data behind.


On Jan. 25, 2018, Diebold Nixdorf released a statement, obtained by KrebsOnSecurity, to their customers acknowledging the attack was expected to spread from Mexico into the United States. In the statement, Diebold provides specific recommendations on how to protect ATMs from jackpotting attacks.

First and foremost, best practice security measures provided by ATM vendors should be followed. In conjunction with working alongside ATM vendors, some security best practices to lock down ATMs include:

Physical Security
  • Implement two-factor authentication for technicians to obtain physical access.
  • Use full-disk encryption on all ATM hard drives.
  • Update security awareness training to help identify suspicious activity.
Logical Security
  • Update firmware, software, and operating systems to the latest releases.
  • Use encrypted communication protocols where possible.

Get Proactive

How can you protect your ATMs and networks? Consider the following questions: What operating system is running on your ATM and is it secure? Are other devices that might not be a typical workstation still playing a role on your network? One thing remains certain: Thieves are always looking for a way to make a quick buck.