Fifteen years ago, security researcher Barnaby Jack stood on stage at Black Hat and forced an ATM to dispense cash on command. It was a powerful demonstration of what was technically possible.
In 2026, it is no longer a demonstration.
According to a recent FBI bulletin, more than 700 ATM jackpotting attacks were recorded during 2025, with losses exceeding $20 million. What began as conference theatre has matured into a coordinated criminal operation targeting financial institutions at scale.
For banks operating large ATM estates, this is not an abstract risk. It is an infrastructure reality.
What Is Actually Happening
ATM jackpotting does not target customer accounts. It targets the machine itself.
Attackers gain physical access to the ATM cabinet, often using generic keys or compromised maintenance procedures. Once inside, they install malware such as Ploutus, which exploits the Windows operating system and the Extensions for Financial Services software layer that connects hardware components like the cash dispenser and PIN pad.
With full control of the ATM, criminals can issue commands that force the machine to release cash directly from the vault.
The withdrawal does not appear as a fraudulent transaction. It does not trigger card monitoring alerts. It is a device-level compromise.
In many cases, detection happens after the fact.
Why This Should Concern Banking Executives
There are three strategic issues here.
1. Legacy Operating Systems Remain in Production
Many ATM environments still rely on older Windows versions and standardised XFS frameworks. If patching cycles are inconsistent or unsupported systems remain in use, the attack surface expands.
2. Physical Access Is Often Treated as an Operational Risk, Not a Cyber Risk
Security budgets frequently separate physical controls from cyber controls. Jackpotting attacks prove that the two are inseparable. A compromised cabinet becomes a compromised network endpoint.
3. Monitoring Is Still Account-Centric
Fraud detection systems focus heavily on anomalous customer activity. Jackpotting bypasses this model entirely. If device telemetry and behavioural monitoring are not mature, these attacks can unfold silently.
For boards and risk committees, this raises uncomfortable but necessary questions. Are we looking at infrastructure risk with the same rigour as digital banking risk? Are we measuring resilience at the device layer?
This Is Bigger Than ATMs
ATM jackpotting is a visible example of a broader pattern in financial services.
Distributed infrastructure is growing. Smart kiosks, branch self-service terminals, remote devices, and integrated payment hardware all introduce hybrid risk. These systems blend physical components with network connectivity and legacy software.
Where there is hybrid infrastructure, there is hybrid exposure.
What makes jackpotting instructive is not just the cash loss. It is the speed of execution and the delay in detection. The FBI noted that many attacks occur within minutes and are discovered only after reconciliation.
In a sector built on trust, delayed detection is reputational risk.
What Forward-Thinking Banks Should Be Doing
This is not about panic. It is about discipline.
Banks should be asking:
- Have we conducted a recent security assessment of our ATM estate at both the physical and software layers?
- Are unsupported operating systems still in circulation?
- Do we have real-time monitoring of device behaviour, not just transactional activity?
- Is our incident response plan aligned to device-level compromise scenarios?
- Are third-party maintenance providers included in our cyber risk framework?
These are not compliance questions. They are resilience questions.
From Awareness to Action
Jackpotting reminds us that cyber risk is not confined to data centres and cloud environments. It sits in branch foyers, in retail corridors, and in every unattended machine connected to a network.
For financial institutions, the risk conversation must evolve from fraud monitoring to infrastructure assurance. Device-level resilience is no longer optional. It is foundational to operational continuity and brand trust.
If your ATM estate or distributed device environment has not been independently assessed in the past 12 months, this is a practical place to start. A structured review of operating systems, patch posture, physical controls, and monitoring capabilities can quickly surface gaps that routine reporting may miss.
Because in 2026, infrastructure exposure is not a technical footnote. It is a board-level discussion waiting to happen.
We work with financial institutions to evaluate infrastructure risk before it becomes headline risk.
