The FBI is warning that ATM jackpotting attacks - where hackers make machines spit out cash like slot machines - are surging. It's low-tech physical hacking meeting software vulnerabilities, and it's netting criminals millions.
This is the kind of hacking most people think went extinct in the 90s. Open the ATM, plug in a device, watch cash pour out. Except it's not extinct - it's thriving. The FBI's latest advisory confirms what security researchers have been warning about for years: ATMs are just badly secured Windows boxes in metal shells, and criminals have figured out how to exploit them at scale.
Here's how jackpotting works. Criminals gain physical access to the ATM - sometimes by picking locks, sometimes by obtaining master keys that work on entire fleets of machines. Once inside, they connect a device directly to the ATM's computer, which is often running an outdated version of Windows XP or Windows 7. From there, it's a matter of running specialized malware that sends commands to the cash dispenser.
The ATM doesn't know it's been compromised. As far as the machine is concerned, it's receiving legitimate commands from the bank's system. The malware tricks it into dispensing cash without any corresponding withdrawal from an account. The criminals walk away with thousands of dollars per machine, often hitting multiple ATMs in a single night.
What makes this particularly frustrating is that the vulnerabilities are well-known. Security researchers have been demonstrating ATM attacks at conferences for over a decade. The fixes are straightforward: encrypt communications between the computer and cash dispenser, use full-disk encryption, keep software updated, improve physical security. Banks just haven't done it.
Why not? Because ATMs are expensive to upgrade, and most banks treat them as legacy infrastructure - deploy once, maintain minimally, replace when absolutely necessary. The average ATM in the US is over a decade old. Many are running operating systems that Microsoft no longer supports. They're sitting ducks.
The FBI says jackpotting attacks are netting hackers millions in stolen cash. That's not an exaggeration. A single well-organized crew can hit dozens of ATMs in a weekend, walking away with six figures. The stolen cash is difficult to trace and impossible to reverse - unlike credit card fraud or digital theft, there's no chargeback mechanism for physical cash that's already been distributed.
Banks are aware of the problem. Some have upgraded their ATMs, implemented better monitoring, and improved physical security. But many haven't, because the cost of upgrades exceeds the cost of losses from jackpotting - at least in the short term. That calculus changes when you factor in reputational damage and the reality that attacks are accelerating.
