originally published by Hacker News, December 2025: The U.S. Department of Justice (DoJ) this week announced the indictment of 54 individuals in connection with a multi-million dollar ATM jackpotting scheme.
Ploutus Malware
The large-scale conspiracy involved deploying malware named Ploutus to hack into automated teller machines (ATMs) across the U.S. and force them to dispense cash. The indicted members are alleged to be part of Tren de Aragua (TdA, Spanish for “the train of Aragua”), a Venezuelan gang designated a foreign terrorist organization by the U.S. State Department.
In July 2025, the U.S. government announced sanctions against the group’s head, Hector Rusthenford Guerrero Flores (aka Niño Guerrero), and five other key members for their involvement in the “illicit drug trade, human smuggling and trafficking, extortion, sexual exploitation of women and children, and money laundering, among other criminal activities.”
Bank fraud, burglary, and money laundering
The Justice Department said an indictment returned on December 9, 2025, has charged a group of 22 people for supposedly committing bank fraud, burglary, and money laundering. Prosecutors also alleged that TdA has leveraged jackpotting schemes to siphon millions of dollars in the U.S. and transfer the ill-gotten proceeds among its members and associates.
Another 32 individuals have been charged in a second, related indictment returned on October 21, 2025, accusing them of “one count of conspiracy to commit bank fraud, one count of conspiracy to commit bank burglary and computer fraud, 18 counts of bank fraud, 18 counts of bank burglary, and 18 counts of damage to computers.”
Defendants are facing up to 335 years in prison for all related charged to the malware
If convicted, the defendants could face a maximum penalty of anywhere between 20 and 335 years in prison.
“These defendants employed methodical surveillance and burglary techniques to install malware into ATM machines, and then steal and launder money from the machines, in part to fund terrorism and the other far-reaching criminal activities of TDA, a designated Foreign Terrorist Organization,” said Acting Assistant Attorney General Matthew R. Galeotti of the Justice Department’s Criminal Division.
The jackpotting operation is said to have relied on the TdA recruiting an unspecified number of individuals to deploy the malware across the nation. These individuals would then conduct initial reconnaissance to assess external security measures installed at various ATMs and then attempt to open the ATM’s hood to check if they triggered any alarm or a law enforcement response.
As easy as replacing a clean hard drive with a malicious one during ATM installation or maintenance
Following this step, the threat actors would install Ploutus by either replacing the hard drive with one that came preloaded with the malicious program or by connecting a removable thumb drive. The malware is equipped to issue unauthorized commands associated with the Cash Dispensing Module of the ATM in order to force currency withdrawals.
Malware designed to instantly delete evidence
“The Ploutus malware was also designed to delete evidence of malware in an effort to conceal, create a false impression, mislead, or otherwise deceive employees of the banks and credit unions from learning about the deployment of the malware on the ATM,” the DoJ said. “Members of the conspiracy would then split the proceeds in predetermined portions.”
Weaknesses in Windows XP-based ATMs
Ploutus was first detected in Mexico in 2013. In a 2014 report, Symantec detailed how a weakness in Windows XP-based ATMs could be exploited to allow cybercriminals to withdraw cash simply by sending an SMS to compromised ATMs. A subsequent analysis from FireEye (now part of Google Mandiant) in 2017 detailed its ability to control Diebold ATMs and run on various Windows versions.
Any size business is at risk of malware – it only takes one infected device of any kind.
According to the agency, a total of 1,529 jackpotting incidents have been recorded in the U.S. since 2021, with about $40.73 million lost to the international criminal network as of August 2025.
No matter your business size, threats are everywhere. Get with an IT expert to secure your business today: