Ploutus Malware Drains U.S. ATMs Without Cards or Accounts as FBI Issues FLASH Alert
3 min. read 
Published on
The FBI issued FLASH-20260219-001 on February 19, 2026, warning about Ploutus malware jackpotting attacks on U.S. ATMs. Criminals gain physical access to machines and use malware to dispense cash without cards, accounts, or bank approval. Banks and ATM operators face urgent risks from this growing threat.
Ploutus targets the eXtensions for Financial Services (XFS) layer that controls cash dispensers. Normal withdrawals need bank authorization. This malware sends direct commands to hardware. Attackers empty machines in minutes. The FBI reports over 700 incidents in 2025 alone from 1,900 total cases since 2020. Losses exceed $20 million.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Attackers often start with generic keys to open ATM panels. They swap hard drives, plug USB devices, or connect keyboards. Many ATMs run Windows, so malware adapts easily across brands. Offline machines work too since commands hit hardware directly.
FBI said – “More than 700 jackpotting incidents occurred in 2025 producing over $20 million in losses.”
Attack Indicators Table
| Indicator | Description | Typical Location |
|---|---|---|
| Newage.exe | Suspicious executable | ATM root directories |
| NCRApp.exe | Malware disguised as NCR app | System32 folder |
| WinMonitor.exe | Monitoring process masquerade | Startup folder |
| sdelete.exe | Secure delete tool for cleanup | Temp directories |
Look for new folders like C:\Users\SSAuto1\AppData\Local\P.
Infection Methods
Attackers use these physical tactics:
- Remove and infect ATM hard drive externally.
- Insert pre-loaded USB drive or hub.
- Connect malicious keyboard for commands.
- Exploit open service panels with standard keys.
XFS bypass works offline. No network traffic alerts fire.
Suspicious Registry and Services
Monitor these persistence mechanisms:
- Autorun keys under generic names like “ATM Service.”
- Custom services: “Dispenser Service,” “Cash Manager.”
- Unauthorized remote tools: AnyDesk, TeamViewer installs.
Remote access tools signal insider threats or external C2.
Defensive Hardening Steps
The FBI lists immediate actions:
- Replace standard ATM locks with high-security versions.
- Install tamper-evident sensors and CCTV coverage.
- Enable full disk encryption on ATM drives.
- Implement hardware device whitelisting.
Validate each machine against trusted gold images and file hashes.
Windows Event IDs to Monitor
Track these for compromise signs:
- 6416: USB device insertion.
- 4663: File write operations.
- 4688: Process creation.
- 1102: Log clearing attempts.
Correlate events across ATMs for attack patterns.
Impact Statistics
FBI data shows escalation:
| Year | Incidents | Losses |
|---|---|---|
| 2020-2024 | 1,200 | $15M+ |
| 2025 | 700+ | $20M+ |
| Total | 1,900+ | $35M+ |
Cash shortages tip off victims late. Networks miss offline attacks.
Why Ploutus Succeeds
ATMs prioritize uptime over security. Generic locks invite tampering. XFS standardization aids portability. Windows prevalence lowers barriers. Losses hit banks directly without customer card fraud.
Report incidents to local FBI offices or IC3 portal immediately.
FAQ
FLASH-20260219-001 warns of 700+ incidents in 2025 with $20M+ losses.
Malware sends direct XFS commands to ATM hardware, bypassing bank auth.
Newage.exe, NCRApp.exe, WinMonitor.exe, sdelete.exe.
Generic keys open most ATM panels for drive/USB swaps.
IDs 6416, 4663, 4688, 1102 for USB, files, processes, log clears.
High-security locks, tamper sensors, disk encryption, device whitelisting.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages