Thieves are using USB drives to hijack ATMs and steal their contents
Banks across the United States and multiple other countries are facing a surge in hands-on malware attacks targeting their ATMs, according to a recent cybersecurity alert from the FBI. The Bureau cautioned that threat actors are sidestepping physical protections and digital defenses by exploiting aging systems and maintenance tools still in use on many machines.
According to the FBI, attackers frequently open ATM maintenance cabinets using readily available universal keys, giving them direct access to internal storage drives. From there, they either install malicious software onto the existing drive or replace it entirely with one that has already been compromised.
Once the ATM is powered back on, the injected malware launches automatically, granting the attacker control over the terminal. A frequently deployed strain in these incidents is Ploutus, a piece of malware identified years ago that remains effective because it integrates deeply into ATM architecture.
Instead of attempting to breach banking networks or bypass online security perimeters, Ploutus targets the XFS software layer that ATMs rely on to communicate with bank systems. This middleware serves as the bridge between the machine’s operating system (typically Windows) and the institution’s authorization servers. By sending its own commands straight to the XFS layer, Ploutus can circumvent standard transaction validation processes. The result is the ATM being forced to dispense cash without a card, PIN, or an authenticated account.
Since 2020, approximately 1,900 attacks of this nature have been documented, with around 700 in 2025 alone. Losses tied to these attacks have surpassed $20 million. The vulnerability is widespread and not confined to a particular manufacturer or banking network, largely because many ATMs continue to run outdated Windows-based systems that no longer receive consistent security updates.
For example, a significant number of machines still run Windows 7, which debuted in 2009 and exited mainstream support more than 10 years later. The FBI emphasized that cybercriminals can exploit weaknesses in these legacy operating systems across various hardware platforms before security teams can implement patches.
