ATM Jackpotting: What Banks and Credit Unions Need to Know Now

ATM jackpotting is a threat to banks and credit unions in the United States. Here’s an updated guide on the risks and defenses for financial institutions today. 

Editor’s note: Originally published January 29, 2018. Updated on November 4, 2025, for accuracy and relevance. 

ATM jackpotting isn’t new, but it has evolved. What began years ago as a niche cybercrime in other parts of the world has now become a real, recurring threat across the United States. Criminals have learned how to manipulate both the software and hardware of ATMs to force them to “spit out” cash on command—literally turning the machines into jackpots.

Unlike traditional skimming or card fraud, jackpotting targets the machine itself. The goal isn’t data theft—it’s cash theft. For banks and credit unions, this isn’t just a technical issue—it’s a test of operational readiness. The risk is no longer theoretical; it’s a direct threat to liquidity, reputation, and customer trust. 

What Is ATM Jackpotting?

At its core, jackpotting is a cyber-physical attack that overrides an ATM’s normal logic. The attacker gains access—usually by opening the cabinet or service door—and then connects a device or installs malware that communicates directly with the cash dispenser. Once control is established, the attacker can issue commands that cause the ATM to release cash without any legitimate transaction. 

Early forms of jackpotting required highly technical malware. Today, the barrier to entry is much lower. With online marketplaces offering black-box kits, cloned master keys, and guides, even less-experienced criminals can execute these attacks. This “democratization” of tools has made jackpotting one of the most persistent threats to financial institutions and independent ATM operators alike. 

Why Jackpotting Is on the Rise

Law enforcement reports show coordinated jackpotting crews targeting specific ATM models or vendors across multiple states, often striking at night or over weekends when activity is low. For criminals, the reward is immediate, and the window for detection is short.   

Several trends are contributing to the recent increase in attacks:  

• First, many ATMs in the field still run outdated or unsupported operating systems that no longer receive security patches.
• Second, remote or stand-alone machines—such as those in convenience stores or drive-thru lanes—often lack strong physical protection or regular monitoring.
• And finally, as institutions tighten digital controls against phishing and online fraud, attackers are pivoting back to physical channels that may be easier to exploit.

These vulnerabilities reveal why ongoing investment in modernization and monitoring—especially across remote or legacy fleets—is critical for institutions that depend on ATMs as key customer access points. 

How a Jackpotting Attack Unfolds

Most incidents follow a similar pattern. An attacker first gains physical access to the ATM, either by unlocking the outer panel with a generic service key or by tampering with the casing. Once inside, they connect a “black box” (a small computer that intercepts the connection between the ATM’s processor and its cash dispenser). In some cases, malware is installed instead, taking control of the system’s operating logic. 

With control established, the attacker triggers a cash-out sequence. Within minutes, the machine dispenses its entire cash reserve. Often a second person, known as the “mule,” retrieves the money while the operator remotely manages the attack. By the time the ATM’s monitoring system flags irregular activity, the perpetrators are long gone. 

The Cost of Inaction

For financial institutions, the impact goes far beyond the immediate loss of cash. A successful jackpotting incident erodes customer confidence and can expose gaps in vendor oversight, endpoint monitoring, and operational governance.  

While losses from individual attacks can reach six figures, the reputational and regulatory consequences can be even greater.  

Take a look at these real-life jackpotting examples: 

• California, October 2025: Police arrested three individuals in the San Francisco Bay area in connection with an overnight theft that drained more than $100,000 from two ATMs.
• Wisconsin, May 2025: Two men were arrested after allegedly stealing more than $200,000 from multiple ATMs in the Duluth area.
• Colorado, March 2025: Two Colorado residents were arrested for jackpotting three ATMs in Wyoming small towns, stealing a total of $54,000 in two days.
• Texas, March 2025: Seven men were arrested after stealing nearly a quarter of a million dollars from more than 70 ATMs across Texas.  

Regulators increasingly expect institutions to demonstrate robust physical and cybersecurity measures around ATM fleets. An unmonitored, outdated, or unsupported machine is not just an operational liability—it’s a reputational one. These incidents serve as a warning: staying current, visible, and compliant is no longer optional. 

Building a Layered Defense 

Protecting against jackpotting requires a blend of physical security, software integrity, and continuous monitoring. Start by ensuring every ATM in your fleet is running a supported operating system and current firmware. If ports such as USB or serial interfaces are unused, disable or physically block them to prevent unauthorized access. Unique, high-security locks and tamper-evident seals should replace any generic service keys. 

Beyond technical defenses, ATM operators should prioritize real-time operational intelligence—continuous data monitoring, performance tracking, and proactive alerting that surface anomalies before they become losses. 

Equally important is visibility. Deploy software with “heartbeat” monitoring that tracks dispenser activity, reboots, or service-mode events in real time. Integrate those alerts into your central operations dashboard so that your treasury or fraud teams can spot anomalies quickly. And don’t neglect the human element—regularly train staff, vendors, and service partners to recognize suspicious behavior, from false technician visits to unexplained cabinet marks. 

Finally, formalize an incident-response plan specific to ATM attacks. This should define how to secure the affected machine, preserve digital and video evidence, and notify law enforcement. Speed of response can mean the difference between an isolated event and a pattern that spreads across your fleet. 

From Prevention to Preparedness: Building True ATM Resilience 

Jackpotting may sound like a Hollywood term, but its impact on financial institutions is real and costly. True protection requires more than strong locks or software patches; it demands visibility, automation, and preparedness. 

CheckAlt’s ATM Capture supports this preparedness by pairing deposit imaging with real-time monitoring and proactive heartbeat alerts. These tools help identify irregular operational behavior early, minimizing downtime and maintaining customer confidence. 

While no single measure can eliminate every risk, maintaining operational continuity and system awareness is an essential part of overall ATM resilience.  

Get in touch with us today and discover how we can help you ensure your ATMs have the layered defenses they need. While you’re at it, be sure to follow us on LinkedIn and subscribe to CheckAlt Connect, our monthly email newsletter, to keep on top of the latest in payments.