The Department of Justice on Monday announced a federal grand jury indictment charging 31 people for participating in a conspiracy to steal millions from ATMs by deploying Ploutus malware.

The Justice Department has said that between February 2024 and December 2025, the gang stole at least $5.4 million from at least 63 ATMs, most of which belonged to credit unions.

The scheme was complex and required gang members to surveil potential target ATMs and then open the doors of machines they decided to hit to see if alarms went off.

If law enforcement did not respond to the ATMs being opened, gang members would then allegedly take out the ATMs’ hard drives and replace them with ones equipped with Ploutus or would connect thumb drives that unleashed the malware.

The malware was able to order the ATMs to dispense cash by overcoming their security systems.

The Department of Justice has said some of the defendants are illegal immigrants who are members of the Venezuelan gang Tren de Aragua (TdA). The charges brought include conspiracy to commit bank fraud, conspiracy to commit bank burglary and computer fraud, bank fraud, bank burglary and damage to computers.

Fifty-six others were charged with participating in the “ATM jackpotting” scheme last month. 

Experts and U.S. agencies have cautioned the public about Ploutus malware for almost ten years and Google researchers have called it “one of the most advanced ATM malware families” they've seen. 

Symantec first detected Ploutus ATM malware in 2013 and it has frequently evolved since then.

The first known ATM jackpotting spree using Ploutus occurred in Mexico in 2013. A variety of ATM vendors have proven vulnerable to the malware, including Diebold Nixdorf and Kalignite Platform.