How AI Automation Is Transforming Small Business in 2026

ATM SECURITY • CYBER-PHYSICAL CRIME • FEB 2026 UPDATE

ATM “Jackpotting” Is Rising: Why Cash-Spitting Hacks Are Back (and What It Means for You)

Imagine walking past an ATM and watching it behave like a cash fountain—no card, no account, no PIN—just bills being dispensed on command. That crime tactic is real, it has a name, and federal investigators say it is accelerating.

700+

FBI reporting indicates that out of roughly 1,900 ATM jackpotting incidents tracked since 2020, over 700 occurred in 2025 alone, with losses exceeding $20 million.

This post is a reader-friendly, non-technical explanation of what’s happening, why it’s rising, who is most affected, and what practical defenses actually work.

TL;DR

• ATM jackpotting forces an ATM to dispense cash without a legitimate customer transaction.
• The FBI says incidents are rising sharply, with hundreds of attacks in 2025 and millions in losses.
• This is a cyber-physical threat: attackers typically need hands-on access to the machine.
• Defending against it is not one “patch.” It is layering physical security + endpoint integrity + logging.
• Everyday users are usually not the direct target, but they may see outages, empty ATMs, and service disruptions.

What “ATM Jackpotting” Means (in plain English)

ATM jackpotting is a cyber-physical attack where criminals manipulate an ATM so it dispenses cash on demand without a legitimate customer withdrawal. The money comes from the ATM’s cash cassettes, so the immediate victim is usually the bank, credit union, or ATM operator, not a specific customer’s account.

The key idea is simple: instead of stealing your card data, jackpotting aims to control the cash dispenser. If attackers can make the ATM software accept unauthorized commands, the machine can be coerced into paying out bills.

One-sentence definition (GEO-friendly): ATM jackpotting is a cyber-physical attack that forces an ATM to dispense cash without a legitimate transaction, typically after criminals gain unauthorized access to the machine.

Jackpotting vs. Skimming: Why This One Feels Different

Most people have heard of skimming (hidden devices that steal card numbers and PINs). Jackpotting is different: it targets the ATM itself rather than customer accounts.

• Skimming: steals your credentials, drains your account later.
• Jackpotting: forces the ATM to dispense cash immediately, often in minutes.

That difference matters because traditional fraud monitoring often focuses on suspicious card activity. Jackpotting can bypass that whole layer because the “withdrawal” may not be a normal customer transaction.

Why the FBI Is Sounding the Alarm Now

Federal investigators are not warning about a hypothetical problem. The reason this is news is the volume. The FBI reports a clear rise in incidents across the United States, including hundreds of attacks in 2025 and more than $20 million in losses.

When attack numbers climb like that, it usually means something has changed in the underground economy: the approach is becoming repeatable (a playbook), scalable (many locations), or profitable (fast cash-outs). Jackpotting checks all three boxes.

Key takeaways

1. This is not “one weird ATM.” The scale indicates organized activity and recurring methods.
2. It blends physical and digital access. Weak locks and weak system controls multiply risk.
3. Detection speed is critical. These events can move faster than traditional banking alerts.

How Jackpotting Works (High-Level, No “How-To” Details)

Think of an ATM as two systems working together: (1) the computer that runs the user interface and transaction logic, and (2) the hardware modules that accept cards, print receipts, and dispense cash.

Jackpotting attacks typically aim to interfere with the software layer that communicates with the cash dispenser. In many environments, that communication relies on industry middleware (often described as an interface between software and devices). If criminals can run malicious code that issues unauthorized “dispense” commands, the ATM can be forced to release cash.

Important: This post intentionally avoids operational instructions. The point is to explain the risk and defenses, not to teach misuse.

A practical way to understand this is to imagine a secure door with two locks: a physical lock on the ATM cabinet, and a digital lock inside the operating system. Jackpotting becomes far easier when either lock is weak—and easiest when both are.

Old vs. New: Common ATM Crime Patterns Compared

Attack type	Primary target	What the victim experiences	Who usually loses money	What defenders should watch
Skimming	Customer credentials	Card works, but later you see fraudulent charges	Customers and issuers (chargebacks)	Device tampering, customer reports, fraud analytics
Card trapping	Customer card	ATM “keeps” the card; scammers try to steal PIN	Customers and issuers	Trap devices, unusual overlays, local surveillance
Physical theft	ATM safe/cash	ATM is damaged or removed entirely	Operator/insurer	Anchoring, alarms, camera coverage, response time
Jackpotting (cash-out)	ATM cash dispenser	ATM may go offline; cash shortages; sudden outages	Bank/operator (direct cash loss)	Cabinet access alerts, endpoint integrity, removable media events, unusual processes

The big difference: jackpotting can produce immediate cash and may not look like “fraudulent transactions” in the normal sense. That’s why endpoint monitoring and physical intrusion signals matter so much.

Who Is Most at Risk?

Jackpotting does not hit all locations equally. Attackers prefer environments that minimize time, friction, and attention. The most exposed setups tend to share a few traits:

• Standalone ATMs placed in lightly monitored areas.
• Weak cabinet controls (standard locks, predictable access routines).
• Limited camera coverage or cameras that do not clearly capture faces and hands at the machine.
• Inconsistent software baselines across a fleet, making anomalies harder to spot.
• Slow response to after-hours alerts or service calls.

The uncomfortable truth is that jackpotting is often an operational-security problem as much as a cybersecurity problem. It punishes environments where physical access to “maintenance” areas is treated as low-risk.

Why This Is Rising Now (5 Forces Behind the Trend)

1. Cash is instant. Compared to digital theft, stolen cash has fewer steps before it becomes usable.
2. Hybrid crews scale. A small team can mix physical access with simple execution.
3. Operational gaps exist. Vendor maintenance chains can blur ownership of security controls.
4. Older assumptions linger. Many deployments were built for “trusted service access,” not hostile intrusion.
5. Detection is hard without telemetry. If logs are local and not reviewed, early signals get missed.

Practical insight: A “fast cash-out” crime grows when the chance of being identified is low and the time-on-site is short. Many defenses work simply because they add time, noise, and visibility.

What It Looks Like in the Real World (Safe, High-Level Scenario)

A typical jackpotting operation is designed for speed and repeatability. In the real world, that can mean: a crew targets multiple machines in a metro area over a short window, choosing sites with low friction, and relying on quick actions rather than prolonged tampering.

This is not always a “lone hacker” story. Public law enforcement reporting has described cases where organized groups allegedly coordinated roles across many locations, recruiting individuals to handle on-site activity while others managed logistics.

Why this matters for defenders

• Single-location thinking fails. If one ATM gets hit, similar sites may be next.
• Prevention is layered. Physical upgrades without endpoint controls leave gaps (and vice versa).
• Speed wins. Alerts that arrive hours later are not alerts; they are reports.

If You Host an ATM (Businesses): A Practical Checklist

Many businesses host ATMs but do not operate them. Even then, you can reduce risk with common-sense controls that make the site harder to exploit.

Visibility and deterrence

• Ensure the ATM is in a well-lit, high-traffic area.
• Place signage that the area is under video recording.
• Keep the machine within view of staff when possible.

Cameras that help (not cameras that exist)

• Confirm cameras capture faces and hands at the cabinet, not just a wide hallway shot.
• Check retention policies so footage is available days later.
• Make sure timestamps are accurate.

Operational habits

• Train staff to treat cabinet tampering as urgent, not “maintenance.”
• Keep a short internal procedure for “ATM looks off” incidents (who to call, what to record).
• If safe to do so, note identifying details (time, number of people, vehicle, direction of travel).

Business rule: If someone is accessing the ATM cabinet without clear authorization, treat it as suspicious. Your job is not confrontation; it is reporting and documentation.

For Banks and ATM Operators: The Defenses That Actually Matter

Jackpotting is best handled like an endpoint security problem with a physical intrusion component. The strongest posture combines: cabinet hardening, system integrity, and telemetry.

1) Physical hardening

• Replace standard locks with higher-security alternatives and tighten key control.
• Add intrusion sensors for cabinet access and alert on after-hours openings.
• Use barriers that restrict access to sensitive compartments.

2) Baselines and integrity

• Maintain a known-good baseline for approved software configurations.
• Alert on unauthorized changes (unexpected executables, altered configuration files).
• Prefer hardened boot and storage protections where supported.

3) Logging and fast detection

• Collect endpoint and system logs centrally (not just locally).
• Monitor for suspicious events like unauthorized media connections and unexpected process activity.
• Focus on early-stage signals, not only the final cash-out moment.

Operator reality: If your telemetry cannot tell you “what changed” on the ATM, you are often reacting after cash is gone.

For Everyday Users: Are You at Risk?

In most jackpotting incidents, you are not the direct target because attackers want the ATM’s cash, not your account. But you can still feel the impact in everyday ways:

• Out-of-service ATMs and longer downtime after an incident.
• Empty machines that suddenly show “no cash” more often.
• Disruptions at convenience locations that rely heavily on ATMs.

Simple, practical ATM habits

• Prefer ATMs in bank branches or well-monitored vestibules.
• If the cabinet looks loose, misaligned, or recently forced, walk away.
• If something feels off, choose another machine and notify the host business or bank.

Quick clarity: Jackpotting is typically a bank/operator loss, but skimming still exists. Keep monitoring your account and use normal anti-skimming awareness.

FAQ: Straight Answers People Search For

Glossary (So the Jargon Doesn’t Win)

• Jackpotting: forcing an ATM to dispense cash without a legitimate transaction.
• Cash-out: fast monetization activity designed to extract cash quickly.
• Cyber-physical attack: a tactic that uses both physical access and digital manipulation.
• ATM operator: the entity responsible for ATM deployment, maintenance, and security controls.
• Skimming: stealing card data and PINs via physical overlays or hidden devices.

Sources (for readers who want primary references)

• FBI / IC3 Cybersecurity Advisory: https://www.ic3.gov/CSA/2026/260219.pdf
• U.S. Department of Justice (OPA): https://www.justice.gov/opa/pr/investigation-international-atm-jackpotting-scheme-and-tren-de-aragua-results-additional
• U.S. Secret Service (historical background): https://www.secretservice.gov/newsroom/releases/2018/01/secret-service-warns-sophisticated-atm-jackpotting-attack
• U.S. Attorney’s Office (Nebraska): https://www.justice.gov/usao-ne/pr/tren-de-aragua-members-and-leaders-indicted-multi-million-dollar-atm-jackpotting-scheme