The U.S. Department of Justice (DoJ) has announced the indictment of 54 individuals for their alleged involvement in an automated teller machine (ATM) “jackpotting” scheme that diverted millions of dollars. The large-scale conspiracy involved the use of Ploutus malware to force ATMs across the country to dispense cash.
According to authorities, the defendants are part of the Venezuelan criminal group Tren de Aragua (TdA), which has been designated as a foreign terrorist organization by the US Department of State.
Details of Jackpotting Scheme and Ploutus Malware
The jackpotting scheme was based on the deployment of Ploutus malware, designed to manipulate the Cash Dispensing Module (CDM) of ATMs and force them to dispense money without authorization. The operation involved the following steps:
- Recruitment and Reconnaissance: TdA recruited individuals to carry out the operation. These “mules” performed initial reconnaissance at various ATMs to evaluate external security measures.
- Physical Access: The attackers were trying to open the “hood” of the ATM to verify if alarms were activated or if a response from law enforcement was generated.
- Malware Installation: Once inside, the threat actors installed Ploutus by replacing the ATM’s hard drive with one preloaded with the malware or by connecting a removable USB drive.
- Execution and Evasion: The Ploutus malware issued unauthorized commands to the CDM to force cash withdrawals. Additionally, it was designed to eliminate evidence of its presence in the system, making it difficult for banks to detect the deployment of the malware.
The Scope of the Operation and the Tren de Aragua Criminal Group
The Department of Justice alleges that the stolen funds were transferred to Aragua Train leaders to finance terrorist activities and other criminal enterprises, such as illicit drug trafficking, human trafficking, extortion, and the sexual exploitation of women and children.
Since 2021, a total of 1,529 jackpotting incidents have been recorded in the US, with losses amounting to approximately $40.73 million USD as of August 2025.
The indictments are divided into two charges: a group of 22 people for bank fraud, theft and money laundering (presented on December 9, 2025) and another group of 32 people for conspiracy to commit bank and computer fraud (presented on October 21, 2025). If convicted, the defendants could face maximum sentences of between 20 and 335 years in prison.
History of Ploutus Malware
The Ploutus malware was first detected in Mexico in 2013. Its evolution has been documented over the years:
- 2014 (Symantec): Detailed how a vulnerability in Windows XP-based ATMs allowed cybercriminals to withdraw cash simply by sending an SMS to the compromised ATMs.
- 2017 (FireEye/Mandiant): The Ploutus-D variant demonstrated the ability to control Diebold ATMs and run on various versions of Windows. At the time, it was explained that the operation required a “money mule” to have a master key to access the ATM, a physical keypad, and an activation code from the “boss” to dispense the money.
Conclusions
This case highlights the persistent threat of ATM jackpotting and the sophistication of the operations of transnational criminal groups such as Tren de Aragua. Collaboration between law enforcement agencies has been crucial to dismantling this network, but the incident also highlights the need to strengthen the physical and logical security of the ATM infrastructure to prevent future attacks.
References
*U.S. Department of Justice (DoJ) announcement.
- Symantec report on Ploutus (2014).
- FireEye/Mandiant analysis of Ploutus-D (2017).