The Federal Bureau of Investigation (FBI) issued a warning on February 19 local time, stating that hackers are exploiting physical and software vulnerabilities in ATMs to deploy malware, forcing ATMs to dispense cash without legitimate transactions. Such attacks are on the rise in the United States.
The report states that since 2020, 1,900 ATM cash-dispensing attacks have been reported across the United States, with over 700 expected in 2025 alone, resulting in economic losses exceeding $20 million. This warning aims to urge relevant institutions to implement protective measures and clarifies the specific requirements for soliciting relevant clues from the public.
Hackers deployed ATM cash-dispensing malware, represented by the Plutus family. This type of malware specifically exploits a vulnerability in the Extended Financial Services (XFS) protocol—XFS is a software layer that issues physical operation instructions to ATMs. In legitimate transactions, ATM applications need to apply for authorization from banks through this protocol, but malware can send instructions directly to XFS, completely bypassing the bank authorization process and forcing ATMs to dispense cash without bank cards or customer accounts.
Ploutus malware attacks the ATM device itself rather than the customer’s account. The cash dispensing operation can be completed in minutes, and the funds are often difficult to detect before they are withdrawn. Once implanted, it gives threat actors direct control over the ATM.
Hackers primarily deploy malware using the following two methods:
-
The ATM’s hard drive was removed, connected to the user’s own computer to copy malware, then reinstalled into the device, and the ATM was restarted to complete the implantation.
-
The ATM’s hard drive is removed and replaced with a third-party hard drive or other external device pre-installed with malware. The ATM is then restarted to achieve infection.
