ATM jackpotting methods

[Papa Carder]

ATM jackpotting methods (as of February 2026) are a combination of physical access and cyberattacks, in which carders force an automated teller machine (ATM) to dispense cash without a legitimate transaction, card, PIN, or bank authorization. This is not a "hacking" of customer accounts, but rather direct control of the cash dispenser inside the machine.

According to news sources (February 2026), approximately 1,900 jackpotting incidents have been recorded since 2020, of which more than 700 occurred in 2025, with losses exceeding $20 million (some sources put the figure at up to $40 million). Attacks have increased sharply in the United States, often linked to organized groups of carders.

Main Jackpotting Methods in 2026​

All attacks require physical access to the ATM (usually unattended — on the street or in stores). Carders use generic keys (universal keys available on the black market) to open the front panel/cabinet.

1. Malware infection via hard drive (most common in 2026)
   • Open the ATM and disconnect the hard drive.
   • They connect it to their laptop → copy malware (most often the Ploutus family - Ploutus-D and variations).
   • They return the disk back and reboot the ATM (or completely replace the disk with one preloaded with malware).
   • The malware exploits XFS (eXtensions for Financial Services), a standard software layer that controls the physical operations of an ATM (dispenser, printer, etc.).
   • After installation: full control — ATMs dispense cash on command (cash-out in minutes, often up to $100,000+ at a time). Malware removes traces to hide the infection.
   • Ploutus was first spotted in Mexico in 2013, but was actively used in the US in 2025–2026 (bypassing bank authorization completely).
   • Attack time: 5–15 minutes for installation + minutes for cash-out.
2. Black Box attacks (hardware bypass)
   • They open the cabinet and turn off the original computer/dispenser.
   • Connect an external device (a "black box" - Raspberry Pi, custom board or laptop) to the dispenser ports (USB, RS-232, or directly to the cash module).
   • Black box sends direct commands to issue cash, bypassing ATM software and the bank's network.
   • Often combined with malware (the black box downloads it automatically).
   • Vulnerable ~70% ATM (according to old estimates, but still relevant).
   • Advantage: works even on new models with chips/EMV, if the dispenser is not protected.
3. Direct Memory Access (DMA) attacks
   • Connect the device via PCIe/Thunderbolt-like ports or other internal interfaces for direct access to ATM memory.
   • Inject code or commands into RAM, causing the dispenser to operate.
   • Mentioned in ABA alerts 2026 as an emerging threat.
4. Logical attacks (less common in 2026)
   • Via USB (bootable flash drive) or network (if the ATM is connected to an unsecured network).
   • Install malware without removing the disk.
   • Less popular now - physical access is easier and more reliable.
5. Combined / Insider-assisted
   • Sometimes an insider (a service/bank employee) leaves access or installs a device.
   • Groups (TdA and similar) coordinate: one opens, another cashes, a third takes the money.

Why attacks are effective in 2026​

• Many ATMs on Windows (vulnerable to malware).
• XFS is a weak point (it does not encrypt commands).
• Physical access is easy (generic keys, no tamper-evident seals).
• Cashing out is fast and "quiet" (no transaction at the bank - detection after the fact).
• Organized groups develop/sell malware on the underground, and split the profits after cashing out.