Jackpotting, Black Boxes, and State-Sponsored Hackers

While physical attacks on ATMs grab headlines with dramatic footage of ram raids and explosions, the most sophisticated—and often most financially devastating—threats are digital. Logical and cybersecurity attacks target the ATM’s software, data, network communications, and the backend banking infrastructure. They can drain cash, steal customer data, and in the most severe cases, compromise entire payment processing systems.

Jackpotting: When ATMs Become Slot Machines

Jackpotting is the term for malware-driven attacks that command an ATM’s cash dispenser to eject banknotes without authorization. The Federal Reserve Bank of Atlanta has documented how these attacks are growing more sophisticated and harder to detect.

The malware is typically installed by gaining physical access to the ATM’s internal computer—often by posing as a technician—and connecting a USB drive or CD. Once installed, it interacts with the ATM’s hardware through standard middleware interfaces. Specific malware families are purpose-built for this task: Ploutus, Tyupkin, Cutlet Maker, Alice, and GreenDispenser each bring different capabilities, but all share the same goal—forcing the machine to empty its cash cassettes on command.

CrowdStrike’s analysis of the Ploutus malware family reveals how these tools use heavy obfuscation to evade security software, while Kaspersky’s research into Cutlet Maker showed that complete jackpotting kits are sold on darknet markets with user manuals—effectively making ATM robbery a turnkey operation for criminals with minimal technical skill.

These attacks often employ “money mules”—individuals recruited to physically collect the dispensed cash, sometimes with limited awareness of the illegality involved. Some malware variants are programmed to operate only during specific windows, such as nights or weekends, to reduce the risk of detection.

Black Box Attacks: Bypassing the Brain

If jackpotting exploits the ATM’s software, black box attacks bypass it entirely. Attackers gain physical access to the ATM’s internal components—often by drilling through the fascia or forcing open the top cabinet—then disconnect the cable between the ATM’s computer and its cash dispenser. They connect an external device directly to the dispenser: a modified laptop, a Raspberry Pi, a smartphone, or custom hardware.

This “black box” sends native commands directly to the dispenser, instructing it to eject cash. Because the ATM’s computer is completely bypassed, the attack circumvents the operating system, application logic, security software, and the need for host authorization. As Cisco Talos has detailed in their retrospective on ATM malware, black box attacks leave minimal or no trace in the ATM’s software logs, making them particularly difficult to detect after the fact.

The risk profile is stark: rapid, substantial cash loss with most software-based security controls rendered irrelevant. Detection relies almost entirely on physical security measures and backend reconciliation.

Network Attacks: Intercepting the Transaction

ATMs don’t operate in isolation—they communicate with host processors and banking systems across networks. That communication channel is itself an attack surface.

Man-in-the-Middle (MitM) and Host Spoofing: An attacker positions themselves between the ATM and its legitimate host server. This can be achieved by inserting a rogue device into the network line, exploiting ARP or DNS spoofing vulnerabilities, or compromising network equipment. Once intercepting traffic, attackers can eavesdrop on sensitive data, modify transaction responses (turning “declined” into “approved”), or impersonate the host entirely—authorizing withdrawals without any actual account validation. Imperva provides a thorough explanation of how MitM attacks work across different contexts, including financial systems.

Denial of Service: While DDoS attacks don’t directly steal cash, they disrupt service at scale. The UK’s National Cyber Security Centre (NCSC) provides guidance on these attacks, noting that they can serve as diversionary tactics—distracting security teams while another attack, like data exfiltration, is underway. CISA has published similar guidance for U.S. financial institutions.

A critical concern with network attacks is the potential for lateral movement. A compromised ATM network connection can serve as an entry point into the broader banking network—turning a single ATM vulnerability into a systemic breach.

Transaction Reversal Fraud: Exploiting the Logic

Transaction Reversal Fraud (TRF) is an elegant attack that exploits the logical sequence of ATM operations. The criminal initiates a normal withdrawal but deliberately induces a card reader fault—by leaving the card in the slot or manipulating it during ejection. If the host system determines the transaction failed before confirming cash was dispensed, it issues a reversal. The criminal then forces open the dispenser shutter and grabs the pre-staged cash. The account is never debited.

TRF requires precise timing and knowledge of the specific ATM model’s operational flow. It’s less scalable than malware attacks but can be highly effective against vulnerable configurations.

The Nuclear Option: Backend System Compromise

The most severe threat vector targets not individual ATMs but the central infrastructure that manages transactions. This is the domain of groups like the Lazarus Group (Hidden Cobra)—a North Korean state-sponsored threat actor responsible for some of the most devastating ATM heists in history.

The attack pattern: gain access to a bank’s internal network through spear phishing or other intrusion techniques. Move laterally to compromise payment switch application servers—the systems that route and authorize transactions. Deploy specialized malware like FASTCash that intercepts transaction requests and generates fraudulent approval responses, even for accounts with zero balances.

The result is an “unlimited cash-out” scenario where money mules simultaneously withdraw large sums from ATMs across multiple countries. The U.S. Treasury’s Office of Foreign Assets Control (OFAC) and CISA have jointly published advisories on the North Korean cyber threat, highlighting ATM cash-out operations as a key revenue source for the regime. The Hacker News has reported on newer Linux variants of the FASTCash malware, demonstrating that these threats continue to evolve.

Reports indicate tens of millions of dollars stolen in single campaigns. These attacks represent a critical, systemic risk to financial institutions.

For a detailed look at how cyber-physical attacks unfold step by step, see our earlier analysis: Anatomy of a Cyber-Physical Heist.

The Software Vulnerability Problem

Underpinning many of these attacks is a fundamental issue: software vulnerabilities. ATMs running outdated, unpatched operating systems like Windows XP or Windows 7 are exposed to well-documented exploits. But even supported OS versions create risk when patches aren’t applied promptly.

The standardization that makes ATMs cheaper to operate also makes them easier to attack at scale. Malwarebytes has noted that malware developed for one ATM platform can potentially compromise machines from multiple manufacturers, thanks to common operating systems and standardized middleware like XFS. A single successful exploit can scale across an entire diverse fleet.

The interdependence of physical and logical security is crucial to understand: many logical attacks—malware via USB, black box connections—require physical access to the ATM’s internals. Weak physical security directly amplifies cyber risk.

Coming Up: Building a Defense That Works

In Part 4, the final installment of this series, we’ll move from threat analysis to action. We’ll present a structured risk management framework, walk through layered mitigation strategies across physical, logical, network, and process domains, and introduce a Capability Maturity Worksheet that organizations can use to benchmark and improve their ATM security posture.

---