Pakistan's largest payment switch and interbank settlement network, 1LINK, has issued a security advisory to commercial banks warning of a growing global threat from ATM jackpotting malware, known as Ploutus, which enables criminals to physically compromise cash machines and trigger unauthorized bulk withdrawals.
The malware has caused a global concern. The US Federal Bureau of Investigation (FBI) also issued a similar alert on February 19, warning that ATM jackpotting incidents across the United States have increased recently.
Out of 1,900 ATM jackpotting incidents reported since 2020, over 700 of them — with more than $20 million in losses — occurred in 2025 alone, the FBI alert noted.
What is ATM jackpotting
ATM jackpotting is a form of physical cyberattack in which criminals gain direct access to a cash machine's internal hardware and install malware that forces the ATM to dispense cash on command.
Unlike card skimming or account fraud, the attack does not target any individual customer. Ploutus attacks the ATM itself rather than customer accounts, enabling fast cash-out operations that can occur in minutes and are often difficult to detect until after the money is withdrawn.
The backdoor malware allows cybercriminals to bypass bank authorization entirely and instruct the ATM to dispense cash on demand until the machine is empty.
How the attack works
According to the 1LINK advisory, attackers gain entry to ATMs using widely available generic keys, often purchased online, that can open machines from multiple manufacturers. Once inside, they deploy the malware through one of two methods: removing the ATM's internal hard drive, loading it with malicious software on an external computer and reinstalling it, or simply replacing the original drive with one preloaded with the malware, then rebooting the machine.
The malware then exploits a software layer called eXtensions for Financial Services (XFS), which tells ATMs what to do when a legitimate transaction occurs.
If a threat actor can issue their own commands to XFS, they can bypass bank authorization entirely and instruct the ATM to dispense cash on demand.
Security measures
The 1LINK advisory has advised banks to enhance the security of their ATM networks.
On the physical front, banks have been advised to replace the standard generic locks on ATM cabinets, install vibration and temperature sensors to detect tampering, fit keypads on maintenance hatches that trigger alarms if a code is not entered, and ensure security cameras cover all relevant areas with footage preserved for incident response.
For hardware, the advisory recommended configuring ATMs to automatically shut down or go out of service when a combination of indicators of compromise is detected.
The banks have been advised to disable external storage interfaces such as USB ports by default, with reactivation only through a formally approved process backed by continuous monitoring and logging.
On the network side, IP whitelisting to block remote connections from unexpected addresses, endpoint detection and response software, and application whitelisting are all recommended to limit the malware's ability to communicate or execute once deployed.
The banks have been advised to regularly audit ATM devices, change all default credentials, and conduct pre-production security assessments before deploying updates to live machines.
Comments
See what people are discussing