A simple thumb drive was all it took to drain millions of dollars from bank machines across the United States. Federal authorities in Nebraska have charged 31 more suspects in a massive cybercrime ring, bringing the total number of defendants to 87. The sophisticated “jackpotting” scheme turned ordinary ATMs into cash-spitting slot machines using a malware strain known as Ploutus.
This latest wave of indictments reveals the terrifying scale of a digital bank heist that has hit financial institutions nationwide. Prosecutors allege that these criminals did not need guns or masks to rob banks. They just needed a specific type of software and ten minutes alone with a machine. The FBI and the Department of Justice are now working with local agencies to close the net on one of the largest bank fraud conspiracies in recent history.
FBI hunts down nationwide cash theft ring
The Department of Justice confirmed that a federal grand jury in Nebraska returned the new indictments this week. This legal action follows two previous rounds of charges filed in late 2024. The investigation is being led by the FBI Omaha Field Office and Homeland Security Investigations. They are coordinating with dozens of other law enforcement agencies to track down every member of this sprawling criminal network.
The charges include conspiracy to commit bank fraud and computer fraud.
Authorities state that the group operated like a well-oiled business. They allegedly moved across the country to target specific machines that were vulnerable to their attacks. The sheer number of individuals charged suggests an organized hierarchy rather than a few isolated hackers. The prosecutors from the U.S. Attorney’s Office for the District of Nebraska are pushing for severe penalties.
hooded figure holding usb drive near automated teller machine keypad
“These defendants allegedly used malware to bypass security protocols and steal millions of dollars from financial institutions,” the DOJ statement highlighted regarding the nature of the crimes.
If convicted, the defendants face serious prison time. The sentences could range from 20 years to a staggering 335 years depending on the specific charges and criminal history of each individual. All defendants are presumed innocent until proven guilty in a court of law.
Hackers used old software to control machines
The method used in these thefts is known in the cybersecurity world as “jackpotting.” It is a vivid term that describes exactly what happens. The machine dispenses bills rapidly until it is empty, much like a winning slot machine in a casino. The key to this attack is that most ATMs are essentially just standard personal computers inside a metal box.
Many of these machines still run on older versions of Windows. Some use Windows 10 LTSC 2015 or even older operating systems that are reaching their end of life. This makes them vulnerable to the same viruses that might infect a home laptop. The attackers allegedly used a malware variant called Ploutus to exploit these weaknesses.
Ploutus targets the software layer that talks to the cash dispenser.
This layer is called XFS, or eXtensions for Financial Services. You can think of XFS as a translator. It takes commands from the bank software and tells the hardware to give you cash. The malware cuts the bank software out of the loop. It speaks directly to the XFS layer. This allows the thieves to issue commands to dispense cash without any money actually being withdrawn from a customer account.
How Ploutus Compares to Skimming
| Feature | Card Skimming | Jackpotting (Ploutus) |
|---|---|---|
| Target | Individual bank customers | The bank’s cash reserves |
| Hardware | Reader over the card slot | USB drive inside the machine |
| Victim | Account holders | The financial institution |
| Speed | Takes days or weeks to harvest data | Instant cash payout |
Thieves opened ATMs in less than ten minutes
The indictments paint a picture of a fast and physical crime. The DOJ alleges that the groups would travel in multiple vehicles to scout their targets. They looked for banks and credit unions with specific ATM models. They also checked for security cameras and alarm response times.
Once a target was selected, they moved quickly. The suspects reportedly used keys or tools to open the top portion of the ATM chassis. This is where the computer components are stored. They did not need to drill into the safe at the bottom. They simply needed access to a USB port.
The hackers would insert a thumb drive loaded with the Ploutus malware. In some cases, they allegedly swapped the hard drive entirely. The malware would then force the machine to dispense cash. The entire process often took less than ten minutes.
- Scout: The team identifies a vulnerable machine.
- Access: They open the service panel of the ATM.
- Infect: A USB drive or mobile device is connected.
- Cash Out: The machine spits out bills on command.
- Clean Up: The malware deletes its own tracks before they leave.
The ability to delete evidence is what made this scheme so successful for so long. Bank employees often would not know how the money went missing until a physical audit was done. By then, the thieves were long gone.
Banks face urgent need to upgrade security
This case serves as a loud wake-up call for the banking industry. The fact that criminals could use a decade-old malware strain to steal millions shows a gap in physical and digital security. Financial institutions are now under pressure to upgrade their software and harden the physical casings of their machines.
Europol and Trend Micro have warned about Ploutus for years. The malware has evolved since it was first seen in Mexico in 2013. Newer versions can even be controlled remotely. Some criminals have physically installed a mobile phone inside the ATM casing. This allows them to send a text message to the machine to make it dispense cash later.
The transition to newer versions of Windows and better physical locks is ongoing. However, with thousands of older machines still in operation, the risk remains high. Consumers are generally safe from losing their own money in these specific attacks since the cash comes from the bank’s vault, not a user account. But the costs eventually trickle down to everyone in the form of fees and interest rates.
These arrests mark a significant victory for law enforcement. Yet, the cat-and-mouse game between security experts and digital thieves continues. As banks patch these holes, criminals are likely already working on the next way to crack the vault.
