An already expansive investigation into a widespread scheme to steal money from ATMs around the United States grew even larger this week when federal prosecutors announced that 31 people were charged for their roles in the operation.

The latest indictment brings to 87 the number of people charged in connection with the “ATM jackpotting” scheme that ran from February 2024 to December 2025 and resulted in at least $5.4 million being stolen, according to the U.S. Justice Department (DOJ). Fifty-six other people were indicted over the past few months.

Many of those charged allegedly are members of Tren de Aragua, a Venezuelan criminal gang that was one of eight South American criminal syndicates designated by State Department in February 2025 as Foreign Terrorist Organizations and Specially Designated Global Terrorists.

The people charged are accused of being involved in incidents that targeted more than five dozen ATMs, most of which were linked to banks and credit unions. The operation was highly organized, with groups of people involved in the conspiracy going to the locations of targeted ATM machines for reconnaissance, determining the security around them.

Once a machine was chosen, the group would open the door or hood to the ATMs, then pull back and wait nearby to see if doing so triggered an alarm that brought police. If not, they would remove the system’s hard drive and install the Ploutus malware by replacing it with another hard drive that was preloaded with the malware, installing it directly, or connecting a thumb drive that would deliver the malware.

Ploutus Malware Gets the Cash Rolling

Ploutus – which has been around for more than a decade, having first been detected in 2013 – is designed to force an ATM to dispense cash by bypassing the security features in it. The malware also deleted evidence of itself in the machine to hide its deployment, according to the DOJ.

“The announcement of charges against a total of 87 defendants underscores both the massive scale of these alleged conspiracies and the strength and skill of our investigators and prosecutors who dismantle them,” Assistant Attorney General Tysen Duva said in a statement.

Jackpotting an Evolving Threat

Attacks on ATMs – including jackpotting – aren’t new, but the tactics used are getting more sophisticated as technology evolves.

“We still see traditional physical attacks on ATMs – from cutting and grinding to ramming and exploding – but the threat most concerning many in the industry is a cyber attack,” Diebold Nixdorf, which makes self-service transaction technology, including ATM machines, wrote in a report. “These breaches may leave less physical damage in their wake, but they can deal a greater blow to financial institutions’ bottom lines, as well as their reputations.”

The company noted a surge in such jackpotting attacks that started in 2017, adding that “as the hardware, malware and methods used to orchestrate ATM jackpotting and cyber attacks continue to evolve, we are seeing some troubling trends develop. … Jackpotting attacks can be difficult to detect and are sometimes coordinated across numerous ATMs in multiple countries by gangs of thieves, resulting in millions of dollars in losses before a problem is identified.”

Law enforcement and security vendors have been warning about Ploutus for years. Rescana researchers in a recent report outlined the evolution of the modular and highly obfuscated malware, including a number of variants that have been run out over the years. They also pointed to the Tren de Aragua gang as the primary user of Ploutus, and said that the group has been running its ATM jackpotting campaign in the United States since 2021, stealing more than $40 million from 1,500-plus ATMs.

“The campaign demonstrates the evolving threat landscape facing financial institutions, with attackers exploiting both physical and digital vulnerabilities in ATM infrastructure,” they wrote.

Tren de Aragua a Long-Time Syndicate

According to the State Department, Tren de Aragua emerged in Venezuela in the mid-2000s and now includes cells in Colombia, Peru, and Chile and a presence in Brazil, Ecuador, and Bolivia. The criminal organization has been linked to kidnapping extortion, bribery, and other high-profile crimes.

The group “grew from a prison gang to a transnational criminal organization to a foreign terrorist organization, Chris Eason, co-director of the DOJ’s Joint Task Force Vulcan, which was involved in the investigation, said in a statement, adding that it used the money stolen through the ATM jackpotting to help fund its other criminal activities.

The suspects indicted this week collected were charged 32 counts that included conspiracy to commit bank fraud, conspiracy to commit bank burglary and computer fraud, bank fraud, bank burglary, and damage to computers.