Mitigate ATM Jackpotting Risk With Layered Security

A late-night call no bank wants

Imagine this scenario: The phone rings just after midnight. A regional bank’s security operations center reports that an ATM alarm has triggered, suggesting tampering. When investigators review the footage, what they find looks like a scene out of a heist film: Two individuals have pried open the machine, inserted a device into its guts, and – within minutes – forced it to dispense stacks of cash. By dawn, the machine is empty, the suspects are gone, and the bank is left to explain the outage to customers.

This scenario, once rare, has become increasingly common. Known as ATM jackpotting, these attacks highlight the convergence of cyber and physical crime. While ATM jackpotting attacks are marked by immediate cash losses for financial services organizations, they can lead to even larger issues, including reputational damage, operational disruption, and, in some cases, potential entry points into broader bank networks. The good news is that organizations can take proactive steps to mitigate risk.

ATM jackpotting involves criminals gaining unauthorized access to a machine’s hardware or software to force it to dispense cash on command. Unlike traditional skimming, which siphons cardholder data, ATM jackpotting drains physical machines directly, often until they are empty.

To conduct the attack, threat actors:

• Exploit physical vulnerabilities such as factory-default keys, poorly monitored service bypass modes, or exposed USB ports
• Install malware or swap out hard drives to override ATM operations
• Connect rogue devices that can receive illicit commands
• Conduct fraudulent transactions and flee with cash

ATM jackpotting is not new; the U.S. Secret Service issued a warning about such attacks in 2018. However, the number of incidents is rising. For bank executives, the implications extend beyond immediate losses. These incidents erode customer trust, generate headlines, and raise regulatory and insurance questions.

Cases from the field

Following are four examples that highlight how ATM jackpotting schemes now span multiple states, involve both domestic and international actors, and blend low-tech physical exploits with highly sophisticated cyberattacks. Together, they illustrate the growing scale, coordination, and creativity of criminal operations targeting ATMs as well as the pressing need for heightened vigilance across the financial sector.

Multistate, organized crime

In May 2025, federal prosecutors announced charges against nine men in connection with jackpotting conspiracies across six states, including Nebraska, Colorado, Missouri, Iowa, Oregon, and Washington. The schemes drained ATMs of tens of thousands of dollars at a time, with potential penalties reaching 20 years in prison for those convicted.

The Michigan scooter crew

In September 2024, two men used low- and high-tech tricks to rob four branches of a bank in a single day. Surveillance showed one suspect arriving on an electric scooter, opening ATMs with a universal key, applying glue to sensors, and swapping in corrupted hard drives. His partner returned with a keyboard and cellphone and forced the ATMs to spit out cash. By day’s end, the thieves had stolen more than $107,000. Weeks later, police arrested them in Minnesota with stacks of cash, superglue, ATM keys, and devices in their hotel room.

Texas ATM jackpotting with Russian ties

In Harris County, Texas, investigators uncovered a remote hacking scheme in which threat actors attacked 70 ATMs across Houston, Dallas, Austin, and San Antonio in just four days. The thieves, linked to a group with ties to Russia, stole $236,000. Using discarded ATM receipts and remote commands, they tricked machines into dispensing cash without affecting customer accounts. Small businesses hosting the ATMs, including gas stations, hotels, and convenience stores, absorbed the losses.

Local surge in North Carolina

A series of incidents in North Carolina prompted the North Carolina Bankers Association to issue warnings to financial services organizations. These attacks were often timed for weekends or overnight hours when machines were lightly monitored. Criminals exploited factory-installed universal keys sold on the dark web and targeted stand-alone ATMs with weaker physical controls.

These four examples illustrate a clear pattern: ATM jackpotting has moved from a set of isolated events to a widespread, organized, and increasingly sophisticated wave of attacks.

Why executives should care

The financial losses alone – more than $107,000 in Michigan, $236,000 in Texas, and millions across multiple federal indictments – are concerning. But the larger risks include:

• Reputational damage. Customers who encounter out-of-service ATMs might assume ransomware or systemic compromise. Trust erodes quickly when cash access is disrupted.
• Operational downtime. Machines can remain offline for days or weeks, which negatively affects branch traffic and customer satisfaction.
• Network risk. In some investigations, compromised ATMs served as potential pivot points into enterprise networks, especially when integrated interactive teller machines (ITMs) or remote management tools were involved.
• Regulatory and insurance exposure. Underreporting remains common, but regulators and insurers are increasingly scrutinizing cyber-physical incidents.

In many cases, organizations fail to treat ATMs as part of their broader digital ecosystem, which leaves operational and physical security teams siloed from IT. This organizational gap increases the risk of missed signals and delayed response.

Front-line insights: How attackers succeed

Recent ATM jackpotting cases have demonstrated a consistent set of attack practices:

• Gaining physical access. Whether through brute force, default keys, or alarm bypassing during vendor maintenance, threat actors must get the first domino to fall by opening the machine to conduct the attack. In many cases, criminals simply pry off faceplates with screwdrivers. In some incidents, maintenance vendors kept alarms in bypass mode, which left machines vulnerable without the organization’s knowledge.
• Connecting malicious drives. Once inside the ATM, attackers connect a rogue USB stick or external hard drive or even replace the ATM’s internal drive with a compromised version. Replacing actual drives with malicious ones enables threat actors to load malware or a custom operating environment that gives them direct control over the dispenser. The malicious code typically bypasses normal transaction checks and issues commands to release cash. While some strains originate on the dark web, many crews develop custom code for specific ATM makes and models.
• Deploying and activating the malware. After the compromised software is installed, attackers typically trigger the jackpot through a sequence of commands. This set of actions involves entering a universal code on the ATM keypad, using a laptop or mobile device to send instructions, or using a rogue device connected directly to the dispenser. At this point, the machine is tricked into treating the commands as legitimate transactions and begins to release cash to the person at the machine, who retrieves the cash and flees.
• Bypassing existing controls. Many banks and credit unions rely on cameras, alarms, or routine patrols, but these measures fall short and are frequently ineffective against ATM jackpotting. Cameras might capture activity but rarely in real time or with automated alerts. Alarms are sometimes left in bypass mode during servicing. Manual video review is too time-consuming, and simple motion detection often creates alert fatigue. Even increased patrols or lighting do not deter determined attackers. These gaps show that common controls, while valuable, are insufficient when criminals are armed with custom malware and coordinated tactics.

Vendors and third-party risk

Most banks have several third-party vendors that support ATM services, including:

• ATM hardware and software providers, such as NCR Atleos or Diebold Nixdorf Inc.
• ATM integrators, including NCR Atleos, Diebold Nixdorf Inc., and independent companies like Quanta Storage Inc.
• Video surveillance vendors, including NCR Atleos and Diebold Nixdorf Inc., with native functionality as well as specialty providers such as NYCE, March Networks, and Verint Systems Inc.
• Cash logistics and replenishment vendors, such as Brink’s and Loomis US

Vendors have specific roles in ATM security: Hardware and software providers manage device security and updates, integrators configure and maintain systems, surveillance vendors monitor for incidents, and cash logistics companies manage cash replenishment. Financial services organizations must identify which vendors control each aspect and assess their effectiveness to ensure thorough protection.

Preventive and mitigating steps

To prevent ATM jackpotting, financial services organizations should prioritize layered defenses that combine physical, cyber, and organizational controls. Based on front-line casework and industry guidance, the most effective preventive measures and specific mitigating steps include:

Physical security controls

• Replace factory-default locks with high-security alternatives.
• Harden ATM enclosures and restrict access to service bypass switches.
• Improve lighting and surveillance at deployment sites and place high-risk units in more secure environments.
• Conduct daily tampering inspections for glue, foreign devices, or forced entry.

Network and communications controls

• Encrypt all communications between ATMs, acquirer hosts, and dispensers using TLS 1.2 or higher.
• Install and maintain firewalls configured to allow only necessary connections.
• Monitor ATM network traffic for anomalies or unauthorized remote access attempts.
• Segment ATM networks from the broader enterprise environment to limit lateral movement.

ATM device and software controls

• Secure basic input and output settings (BIOS) and enforce unified extensible firmware interface secure boot as directed by the ATM hardware provider.
• Apply full disk encryption to protect data if hard drives are removed.
• Implement application allowlisting to block unauthorized code and supplement with updated anti-malware software.
• Patch ATM operating systems and applications regularly and migrate away from unsupported platforms.
• Enforce role-based access controls and multifactor authentication (MFA) for ATM administration and remote access.
• Conduct regular penetration testing and audits to validate controls.

Third-party risk controls

• Evaluate whether vendor assessments adequately measure the sufficiency of controls in this area.
• Consider mapping out a defense in depth strategy that shows the required controls and which vendor is responsible for each.
• Monitor vendor performance against expectations and consider alternatives if the vendor is not helping to prevent this risk.

By structuring defenses across these layers – physical, network, device, and software controls – banks and credit unions can significantly reduce the risk that criminals will succeed in ATM jackpotting campaigns.

ATM jackpotting shows no sign of slowing. Looking forward, two developments are worth watching:

• Integration of AI-driven surveillance. Smarter cameras might help distinguish between normal ATM use and suspicious tampering, but organizations must take steps to avoid alert fatigue.
• Expansion of services at ATMs and ITMs. As devices take on broader roles – including potential crypto asset transactions – they likely will become even more attractive to threat actors.

For bank and credit union executives, the key lessons are clear:

• Treat ATMs and ITMs as part of the broader cyber landscape, not just physical assets.
• Expect attacks to be underreported, localized, and cumulative in impact.
• Recognize reputational harm as equal to, or greater than, direct financial loss.
• Insist on stronger cyber resilience, layered defenses, vendor accountability, and coordinated response protocols.

ATM jackpotting is not just a technical nuisance. It is a brand and governance issue that demands attention from leadership.