CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

US Charges 87 in ATM Jackpotting Conspiracy Linked to Venezuelan Crime Syndicate

First reported
Last updated
3 unique sources, 7 articles

Summary

Hide ▲

The US has charged 87 individuals in a conspiracy involving ATM jackpotting fraud, linked to the Venezuelan crime syndicate Tren de Aragua. The defendants allegedly used Ploutus malware to hack ATMs, causing $40.73 million in losses by August 2025. The conspiracy involved surveillance, malware deployment, and money laundering to fund further criminal activities. In July 2025, the U.S. government sanctioned key members of Tren de Aragua, including Hector Rusthenford Guerrero Flores, for their involvement in various criminal activities. Two Venezuelan nationals, Luz Granados and Johan Gonzalez-Jimenez, were convicted of stealing hundreds of thousands of dollars from U.S. banks using ATM jackpotting and will be deported after serving their sentences. The FBI reported 1,900 ATM jackpotting incidents since 2020, with 700 occurring in 2025, and losses of more than $20 million in 2025 due to these incidents. Threat actors exploit the eXtensions for Financial Services (XFS) API to bypass bank authorization and control ATMs. Ploutus malware interacts directly with ATM hardware, bypassing the original ATM software's security. The FBI recommends physical security measures, hardware security, logging, auditing, IP whitelisting, endpoint detection and response, threat intelligence sharing, and updated security awareness training to mitigate jackpotting risks.

Timeline

  1. 20.02.2026 12:08 2 articles · 4d ago

    FBI Warns of $20 Million in ATM Jackpotting Losses in 2025

    The FBI warned that Americans lost more than $20 million last year amid a massive surge in ATM "jackpotting" attacks, in which criminals use malware to force cash machines to dispense money. According to a Thursday FBI flash alert, more than 700 ATM jackpotting incidents were reported last year alone in a significant spike compared to the roughly 1,900 total incidents reported across the United States since 2020. These attacks can be carried out in minutes and target the software layer controlling an ATM's physical hardware, using malicious tools such as the Ploutus malware. Threat actors exploit the eXtensions for Financial Services (XFS) API to bypass bank authorization and control ATMs. Ploutus malware interacts directly with ATM hardware, bypassing the original ATM software's security. The FBI recommends physical security measures, hardware security, logging, auditing, IP whitelisting, endpoint detection and response, threat intelligence sharing, and updated security awareness training to mitigate jackpotting risks.

    Show sources
    Open in new tab
  2. 20.02.2026 10:05 3 articles · 4d ago

    FBI Reports 1,900 ATM Jackpotting Incidents Since 2020

    The FBI reported 1,900 ATM jackpotting incidents since 2020, with 700 occurring in 2025. Losses in 2025 exceeded $20 million. Cybercriminals exploit physical and software vulnerabilities to deploy malware, often using generic keys to access ATMs. Ploutus malware exploits the eXtensions for Financial Services (XFS) layer to bypass bank authorization. The FBI recommends tightening physical security, auditing devices, changing default credentials, configuring automatic shutdown modes, enforcing device allowlisting, and maintaining logs to mitigate risks. Threat actors exploit the eXtensions for Financial Services (XFS) API to bypass bank authorization and control ATMs. Ploutus malware interacts directly with ATM hardware, bypassing the original ATM software's security. The FBI recommends physical security measures, hardware security, logging, auditing, IP whitelisting, endpoint detection and response, threat intelligence sharing, and updated security awareness training to mitigate jackpotting risks.

    Show sources
    Open in new tab
  3. 27.01.2026 18:27 1 articles · 27d ago

    Tren de Aragua Designated as Foreign Terrorist Organization

    The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) designated the Tren de Aragua (TdA) gang as a Foreign Terrorist Organization in December. The gang, which grew from a prison gang to a transnational criminal organization, has been involved in sophisticated malware attacks on ATMs across the United States.

    Show sources
    Open in new tab
  4. 23.01.2026 18:38 1 articles · 1mo ago

    Conviction and Deportation of Venezuelan Nationals

    Luz Granados and Johan Gonzalez-Jimenez, two Venezuelan nationals, were convicted of stealing hundreds of thousands of dollars from U.S. banks using ATM jackpotting. They were sentenced to 18 months in federal prison and ordered to pay restitution before deportation. The defendants connected laptops to ATMs and installed malware to bypass security protocols, forcing the machines to dispense all available cash. The stolen funds came directly from the banks rather than individual customer accounts, affecting institutions in South Carolina, Georgia, North Carolina, and Virginia.

    Show sources
    Open in new tab
  5. 19.12.2025 13:20 7 articles · 2mo ago

    US Charges 54 in ATM Jackpotting Conspiracy

    The FBI reported 1,900 ATM jackpotting incidents since 2020, with 700 occurring in 2025. Losses in 2025 exceeded $20 million. Cybercriminals exploit physical and software vulnerabilities to deploy malware, often using generic keys to access ATMs. Ploutus malware exploits the eXtensions for Financial Services (XFS) layer to bypass bank authorization. The FBI recommends tightening physical security, auditing devices, changing default credentials, configuring automatic shutdown modes, enforcing device allowlisting, and maintaining logs to mitigate risks. Threat actors exploit the eXtensions for Financial Services (XFS) API to bypass bank authorization and control ATMs. Ploutus malware interacts directly with ATM hardware, bypassing the original ATM software's security. The FBI recommends physical security measures, hardware security, logging, auditing, IP whitelisting, endpoint detection and response, threat intelligence sharing, and updated security awareness training to mitigate jackpotting risks.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Crazy Ransomware Gang Abuses Employee Monitoring and Remote Support Tools

The Crazy ransomware gang has been observed abusing legitimate employee monitoring software (Net Monitor for Employees Professional) and the SimpleHelp remote support tool to maintain persistence in corporate networks, evade detection, and prepare for ransomware deployment. The attackers used these tools to gain full interactive access to compromised systems, transfer files, execute commands, and monitor system activity in real time. They also attempted to disable Windows Defender and set up monitoring rules to detect cryptocurrency-related activities and remote access tools. The use of multiple remote access tools provided redundancy for the attackers, ensuring they retained access even if one tool was discovered or removed. The breaches were enabled through compromised SSL VPN credentials, highlighting the need for organizations to enforce MFA on all remote access services.

Open in new tab

Increase in Stealthy Persistence and Evasion Techniques for Data Extortion

Threat actors are increasingly favoring stealthy persistence and evasion techniques to silently exfiltrate data for extortion. According to Picus Security's Red Report 2026, attackers are blending in with legitimate traffic and operating through trusted processes to stay hidden from network defenders. Process injection remains the top malicious technique, enabling attackers to hide malicious code inside legitimate applications. Additionally, attackers are routing command-and-control (C2) traffic through high-reputation services like OpenAI and AWS to evade detection. The use of 'data encrypted for impact' has dropped by 38% annually, indicating a shift towards silent data exfiltration. The report also highlights sophisticated evasion techniques such as LummaC2 infostealer malware, which uses trigonometry to detect sandbox environments and avoid detonation. Virtualization/sandbox evasion is now the fourth most prevalent MITRE ATT&CK technique observed.

Open in new tab

US Seizes E-Note Crypto Exchange for Ransomware Laundering

The U.S. Department of Justice, led by the FBI and collaborating with international partners, has seized the E-Note cryptocurrency exchange for allegedly laundering over $70 million in ransomware and account takeover proceeds. The operation involved confiscating domains, servers, and customer databases, with an indictment unsealed against the Russian national Mykhalio Petrovich Chudnovets, believed to be the operator of E-Note. Chudnovets targeted US healthcare and critical infrastructure sectors through his money laundering services, which he began offering in 2010. This action may lead to further identification of cybercriminals involved in the laundering scheme.

Open in new tab

European Authorities Dismantle Ukraine-Based Call Center Fraud Ring

European law enforcement dismantled a fraud network operating call centers in Ukraine that scammed victims across Europe out of over 10 million euros. The operation involved arrests, seizures, and the disruption of multiple call centers employing approximately 100 people. The criminals used various schemes, including impersonating bank employees and police officers, to defraud over 400 known victims. The network operated as a commission-based criminal enterprise, promising bonuses for successful scams. Authorities from the Czech Republic, Latvia, Lithuania, and Ukraine, supported by Eurojust, arrested 12 suspects out of 45 identified. The operation included 72 searches across three Ukrainian cities, leading to the seizure of vehicles, weapons, a polygraph machine, computers, cash, and counterfeit identification documents. The fraud ring used remote access software to steal banking logins and directed victims to transfer funds to 'safe' accounts under their control. Members of the network had different roles, including making scam phone calls, forging official documents, and collecting cash from victims.

Open in new tab

Storm-0249 Adopts Advanced Tactics for Ransomware Attacks

Storm-0249, previously known as an initial access broker, has escalated its operations by employing advanced tactics such as domain spoofing, DLL sideloading, and fileless PowerShell execution to facilitate ransomware attacks. These methods allow the threat actor to bypass defenses, infiltrate networks, maintain persistence, and operate undetected. The group has shifted from mass phishing campaigns to more precise attacks, leveraging the trust associated with signed processes for added stealth. The ultimate goal is to obtain persistent access to enterprise networks and monetize them by selling access to ransomware gangs.

Open in new tab