The U.S. Department of Justice announced on Monday the indictment of 31 individuals involved in a sophisticated conspiracy to steal millions of dollars from ATMs using Ploutus malware. The indictment highlights a scheme that ran from February 2024 to December 2025, during which at least $5.4 million was stolen from over 63 ATMs, most of which belonged to credit unions. The accused individuals are facing multiple charges, including conspiracy to commit bank fraud, bank burglary, computer fraud, and damage to computers.
The Complex Scheme and Malware Usage
The criminal operation involved an intricate series of steps to bypass ATM security systems. Members of the gang would first surveil potential ATMs and open machines to test for alarm responses. If law enforcement did not respond to an ATM being opened, they would allegedly remove the ATMs’ hard drives and replace them with modified ones containing the Ploutus malware or connect thumb drives to unleash the malware. Once deployed, the malware would override the ATM’s security systems, commanding the machines to dispense cash.
This tactic, known as “ATM jackpotting,” has been a growing concern for financial institutions and has evolved over the past decade, with Ploutus being one of the most sophisticated malware families in use.
Involvement of Tren de Aragua Gang and Legal Actions
The Department of Justice has stated that some of the individuals charged in the conspiracy are illegal immigrants affiliated with Tren de Aragua (TdA), a notorious Venezuelan gang known for its involvement in organized crime across several countries. The charges against the defendants include conspiracy to commit bank fraud, conspiracy to commit bank burglary, and various other criminal offenses tied to their involvement in the scheme.
In a related development, 56 other individuals were also charged in connection to similar ATM jackpotting activities last month, further underlining the scale of the operation.
Ploutus Malware: A Decade of Risk and Evolving Threats
Ploutus malware has been on cybersecurity experts’ radars for nearly a decade. Originally detected in 2013 by Symantec, Ploutus has since evolved and is considered by Google researchers to be “one of the most advanced ATM malware families” they’ve encountered. The malware was first used in an ATM jackpotting spree in Mexico and has since affected a variety of ATM vendors, including Diebold Nixdorf and Kalignite Platform.
Experts from U.S. agencies have long warned the public and financial institutions about the threat posed by Ploutus malware, urging heightened vigilance against such cybercrimes.
Conclusion:
The federal indictment marks a significant step in cracking down on the use of Ploutus malware in ATM jackpotting schemes, with 31 individuals now facing charges for their role in the theft of millions from ATMs across the U.S. This case serves as a reminder of the evolving nature of cybersecurity threats, highlighting the importance of robust security measures for financial institutions and the public.
