Indictment Filed Against 87 People in Millions of Dollar Theft in America

ATM Machines

Millions of Dollars Stolen from ATMs Using a Flash Drive: What's the Story?

In a significant development in the cybercrime case, a federal grand jury in Nebraska indicted 31 additional individuals in what authorities describe as a nationwide conspiracy to hack ATMs, bringing the total number of defendants in the case to 87.

The charges include conspiracy to commit bank fraud, bank robbery, and wire fraud, following two previous indictments issued in October and December 2025 against 56 other individuals, according to a report published by SlashGear and reviewed by Al Arabiya Business.

Millions of Dollars Stolen Through Jackpotting Technique

According to a statement issued by the US Department of Justice, the scheme involved planting malicious software inside ATMs in several states, using a technique known in cybersecurity circles as "Jackpotting." 

The investigation is being led by the FBI in Omaha, in conjunction with the Department of Homeland Security Investigations and several other law enforcement agencies across the country. The prosecution is being handled by the Department of Justice’s Computer Crimes and Intellectual Property Division and the Nebraska Attorney General’s Office.

The technique involves forcing an ATM to dispense cash upon receiving unauthorized commands, without requiring bank cards or account information. According to the prosecution, the defendants connected an external storage device—such as a USB drive—containing the malware, enabling them to illegally withdraw millions of dollars.

How was the hack carried out?

Despite the sophisticated nature of the attack, the technical mechanism was simpler than many might expect. An ATM is essentially a traditional computer, often running Windows, including older versions like Windows 10 LTSC 2015, which recently reached its end of support. Because it relies on standard components, including USB ports and traditional connections, it is vulnerable to the same types of malware that can infect a home computer—provided it has physical access to its internal components.

The indictment alleges the use of a modified version of malware known as "Ploutus," a strain first detected in Mexico in 2013. This malware targets an intermediate software layer called XFS (short for eXtensions for Financial Services).

XFS acts as a bridge between the operating system and the cash dispenser within the device. Ploutus exploits this intermediary to bypass legitimate banking transaction systems and send commands directly to the cash dispenser. This method differs significantly from traditional skimming operations that target card data, as it directly attacks the device itself.

Reconnaissance and Execution in Minutes

The Justice Department explains that the network members operated in groups, using multiple vehicles to reconnoiter targeted banks and credit unions, identifying the locations of cameras and alarm systems. After opening the outer casing of the device, they waited to confirm the absence of a security response before installing the malware.

This was done either by replacing the hard drive or connecting an external storage device. Investigations indicate that the entire process took no more than ten minutes, and the software was designed to erase its traces after execution, making it difficult for bank employees to detect the breach.

Continuous Software Development

Ploutus is a family of software programs known to law enforcement for over a decade. According to previous joint reports by Europol and Trend Micro, the software has undergone significant development. Initially, it required a CD for installation, but later versions became more sophisticated, with some instances including a hidden mobile phone within the device's casing, allowing for the sending of a text message to remotely activate the withdrawal of funds.

Penalties of up to 335 years

If convicted, the defendants face prison sentences ranging from 20 to 335 years, depending on the charges against them. However, the indictment remains a preliminary procedural step, as all defendants are presumed innocent until a final court ruling is issued.