ATM Jackpotting
What is ATM Jackpotting?
ATM JackpottingAn attack in which the cash dispenser of an ATM is forced to spit out all its cash, either via physical access to the top box or via a network compromise.
ATM jackpotting was demonstrated publicly by Barnaby Jack at Black Hat 2010 with the Tranax and Triton attack he called 'Jackpotting'. Modern attacks fall into two families. Physical: the operator opens the top box, plugs a Raspberry Pi or laptop into the dispenser, then loads malware such as Ploutus.D, Cutlet Maker or WinPot to issue XFS dispense commands and empty the cassettes in minutes. Network: a banking-network intrusion (FASTCash, used by the DPRK-linked Lazarus group against Asian and African banks from 2016 onward) pushes responses approving fraudulent withdrawals from mule cards. Defences include physical sensors on the top box, BIOS and full-disk encryption, application allowlisting on the ATM, dispenser firmware signing, and segregation/encryption of the ATM-to-switch connection.
● Examples
- 01
Mules with the Cutlet Maker MaaS kit emptying Eastern European ATMs in 2017-2018.
- 02
Lazarus group's FASTCash scheme pushing approval messages to drain ATMs of over 100 million USD.
● Frequently asked questions
What is ATM Jackpotting?
An attack in which the cash dispenser of an ATM is forced to spit out all its cash, either via physical access to the top box or via a network compromise. It belongs to the Attacks & Threats category of cybersecurity.
What does ATM Jackpotting mean?
An attack in which the cash dispenser of an ATM is forced to spit out all its cash, either via physical access to the top box or via a network compromise.
How does ATM Jackpotting work?
ATM jackpotting was demonstrated publicly by Barnaby Jack at Black Hat 2010 with the Tranax and Triton attack he called 'Jackpotting'. Modern attacks fall into two families. Physical: the operator opens the top box, plugs a Raspberry Pi or laptop into the dispenser, then loads malware such as Ploutus.D, Cutlet Maker or WinPot to issue XFS dispense commands and empty the cassettes in minutes. Network: a banking-network intrusion (FASTCash, used by the DPRK-linked Lazarus group against Asian and African banks from 2016 onward) pushes responses approving fraudulent withdrawals from mule cards. Defences include physical sensors on the top box, BIOS and full-disk encryption, application allowlisting on the ATM, dispenser firmware signing, and segregation/encryption of the ATM-to-switch connection.
How do you defend against ATM Jackpotting?
Defences for ATM Jackpotting typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for ATM Jackpotting?
Common alternative names include: Jackpotting, Cash-out attack.
● Related terms
- attacks№ 804
Payment Fraud
Any deceptive scheme that diverts money through the payment system, covering card, wire, ACH, real-time-payment and digital-wallet abuse.
- attacks№ 234
Credit Card Fraud
Unauthorized use of payment-card data — from card-present skimming to card-not-present online theft and BIN attacks — to extract money from cardholders or merchants.
- malware№ 084
Banking Trojan
Malware designed to steal online-banking credentials and authorize fraudulent transactions, typically through web injects, form grabbing, or overlays.
- attacks№ 1116
Supply Chain Attack
An attack that compromises a trusted third-party software, hardware, or service provider in order to reach its downstream customers.
- defense-ops№ 542
Insider Threat
The risk that a current or former employee, contractor, or partner with authorised access misuses it to cause harm, intentionally or by negligence.