ATM Jackpotting ring busted: 54 indicted by DoJ

The U.S. Department of Justice has indicted 54 individuals over a multi-million-dollar ATM jackpotting fraud scheme.

U.S. DoJ indicted 54 people for a nationwide ATM jackpotting scheme that stole millions via malware. The case links the crimes to the cybercrime group Tren de Aragua, including charges of fraud, money laundering, and material support to a terrorist organization.

ATM jackpotting is a type of cyber-enabled bank robbery in which criminals infect an ATM with malware or use physical access to force it to dispense cash on demand.

Instead of stealing cards or PINs, attackers break into the ATM’s internal system, usually by opening the cabinet, connecting a device, or replacing the hard drive. Once inside, they run malicious software that sends unauthorized commands to the cash dispenser, causing the machine to “jackpot” and release all available money.

The attackers then collect the cash and leave, often within minutes, without alerting customers or triggering immediate alarms.

Among the accused is Jimena Romina Araya Navarro, an alleged leader of the Tren de Aragua gang, already sanctioned by the U.S. Treasury. Authorities say the group carried out coordinated burglaries, laundered the stolen money, and used part of the proceeds to support criminal and terrorist activities. If convicted, some defendants face sentences ranging from 20 to 335 years in prison.

“Many millions of dollars were drained from ATM machines across the United States as a result of this conspiracy and that money is alleged to have gone to Tren de Aragua leaders to fund their terroristic activities and purposes.  A tirelessly dedicated team of Nebraska law enforcement agents and officers banded together to identify this vast international criminal network and to follow the money trail of this devastating financial crime back to its terroristic roots in Venezuela.” said United States Attorney Lesley Woods. “This case demonstrates what state, federal, and local law enforcement officers can accomplish when they fully join forces. The United States Attorney’s Office stands ready to fight alongside our law enforcement partners to defeat any threat to national security and to Nebraska’s security.  TdA members will find no safe harbor in the State of Nebraska.”

In 2025, Nebraska charged 67 alleged TdA members with crimes ranging from bank fraud and money laundering to child sex trafficking and computer offenses. The cases fall under the Homeland Security Task Force initiative, which unites U.S. agencies to dismantle cartels, gangs, and transnational criminal networks, with a strong focus on protecting children and prosecuting the most dangerous offenders.

The conspiracy used a malware strain called Ploutus to break into ATMs and force them to release cash. Recruited crews traveled across the U.S., scouting banks and credit unions and checking security around ATMs.

“The Ploutus malware’s primary purpose was to issue unauthorized commands associated with the Cash Dispensing Module of the ATM in order to force withdrawals of currency.” reads the DoJ’s press release. “The Ploutus malware was also designed to delete evidence of malware in an effort to conceal, create a false impression, mislead, or otherwise deceive employees of the banks and credit unions from learning about the deployment of the malware on the ATM.”

They opened ATM panels, waited to see if alarms triggered, then installed the malware by swapping or removing hard drives or plugging in external devices. Ploutus sent illegal commands to the cash dispenser and wiped traces of itself to hide the attack. After emptying the machines, the groups divided the stolen money based on prearranged shares.

Ploutus malware was first spotted in Mexico in 2013, later analyses showed it could control Diebold ATMs on multiple Windows versions, enabling rapid cash theft with physical access and activation codes.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ATM jackpotting)