Major Indictment in ATM Jackpotting Scheme
The U.S. Department of Justice has unveiled details of a significant indictment involving 54 individuals linked to a large-scale ATM jackpotting operation that siphoned millions of dollars from automated teller machines across the country. This illicit activity involved the use of malware called Ploutus, which allowed perpetrators to forcibly extract cash from ATMs by exploiting their systems.
Connection to a Notorious Gang
The individuals indicted are reportedly affiliated with Tren de Aragua (TdA), a Venezuelan gang that has been designated as a foreign terrorist organization by the U.S. State Department. This group has been implicated in a range of criminal offenses, including drug trafficking, human smuggling, extortion, and more. Earlier this year, in July 2025, U.S. authorities imposed sanctions on the gang’s leader, Hector Rusthenford Guerrero Flores, also known as Niño Guerrero, explicitly for his role in these diverse criminal enterprises.
Details of the Indictment
On December 9, 2025, the Justice Department announced charges against a segment of 22 individuals for engaging in bank fraud, burglary, and money laundering. These charges highlight how TdA has utilized jackpotting tactics to embezzle huge amounts of money while redistributing their ill-gotten gains among gang members. Additionally, a second group of 32 individuals faces various charges including conspiracy to commit bank fraud, among others, indicating the extensive collaboration within the criminal network.
Potential Consequences for the Defendants
The potential repercussions for those indicted are severe, with the possibility of prison sentences ranging from 20 to 335 years if convicted. According to Acting Assistant Attorney General Matthew R. Galeotti, these accused parties employed meticulous surveillance and burglary strategies to infect ATMs with malware and subsequently steal and launder money, partly to finance TdA’s terror-related activities.
Execution of the Jackpotting Scheme
The operation involved recruiting individuals tasked with infiltrating ATMs across the nation. They would first gather intelligence on the security measures in place at various machines. The next step involved opening the ATM and installing the Ploutus malware via a replaced hard drive or a USB stick. Once active, the malware could issue unauthorized commands to the ATM, triggering cash withdrawals without any legitimate authorization.
In a troubling twist, the Ploutus malware was engineered to erase its traces, keeping bank personnel unaware of the breach. Members of the conspiracy were then able to divide the stolen funds according to pre-established agreements.
Understanding Ploutus Malware
Originally identified in Mexico in 2013, Ploutus exploits vulnerabilities in ATM systems, particularly those running older versions of Windows. Initial discoveries reported by cybersecurity firm Symantec showcased how attackers could gain access to ATMs through weaknesses in Windows XP-based machines. More comprehensive analyses conducted later revealed Ploutus’s capabilities to control various brands of ATMs and execute cash withdrawals remotely.
Once the malware is active on an ATM, it allows a “money mule” to retrieve large amounts of cash quickly, provided they have the necessary equipment to access the machine physically, like a master key and a physical keyboard.
Scale of the Jackpotting Incident
Since 2021, the U.S. has reported a staggering total of 1,529 jackpotting incidents, with an estimated loss of $40.73 million to these international criminal networks as of August 2025. This alarming trend highlights a growing concern over the effectiveness of ATM security measures and sets off urgent calls for increased cybersecurity protections in the financial sector.
U.S. Attorney Lesley Woods remarked on the significant financial losses attributed to this conspiracy, emphasizing that much of the drained money was redirected to fund the terrorist activities of Tren de Aragua’s leaders.
