ATM Jackpotting
What is ATM Jackpotting?
ATM JackpottingAn attack in which the cash dispenser of an ATM is forced to spit out all its cash, either via physical access to the top box or via a network compromise.
ATM jackpotting was demonstrated publicly by the late Barnaby Jack at Black Hat 2010, where he made Tranax and Triton machines spray cash in a demo he named "Jackpotting." Modern attacks fall into two families.
Physical jackpotting
The crew opens the ATM's top box (often with a stolen or universal key), disconnects the dispenser from the running PC, and attaches an attacker device — a laptop, Raspberry Pi, or medical endoscope to reach the cable. Malware such as Ploutus.D, Cutlet Maker (sold as crimeware-as-a-service on the dark web for ~$5,000) or WinPot then talks to the dispenser through the XFS (eXtensions for Financial Services) middleware, issuing dispense commands that empty every cassette in minutes. The first confirmed U.S. jackpotting wave hit in January 2018 (Secret Service/Diebold Nixdorf alerts).
Network cash-out
flowchart TD A[Spear-phish bank employee] --> B[Foothold in bank network] B --> C[Reach payment switch<br/>server AIX/Windows] C --> D[Inject Trojan.FastCash<br/>into switch process] D --> E[Mule inserts card<br/>at ATM abroad] E --> F[Withdrawal request hits<br/>compromised switch] F --> G[Malware forges<br/>ISO 8583 approval] G --> H[ATM dispenses cash;<br/>real account balance untouched]
FASTCash, run by the DPRK-linked Lazarus/APT38 (Hidden Cobra / BeagleBoyz) group, compromises a bank's payment-switch application server and forges ISO 8583 approval messages so mule cards withdraw cash the account can't cover. CISA/FBI/Treasury detailed it in October 2018; in a single 2017 incident cash was pulled from ATMs in over 30 countries simultaneously, and a 2018 incident spanned 23 countries, with total losses estimated in the tens of millions of dollars.
Defences
Physical sensors and stronger locks on the top box; BIOS passwords and full-disk encryption; application allowlisting on the ATM OS; signed, authenticated dispenser firmware and the XFS 3.0+ end-to-end encryption between PC and dispenser; and segmentation, MFA, and message-authentication (MAC) on the ATM-to-switch link.
● Examples
- 01
Mules with the Cutlet Maker MaaS kit emptying Eastern European ATMs in 2017-2018.
- 02
Lazarus group's FASTCash scheme pushing approval messages to drain ATMs of over 100 million USD.
● Frequently asked questions
What is ATM Jackpotting?
An attack in which the cash dispenser of an ATM is forced to spit out all its cash, either via physical access to the top box or via a network compromise. It belongs to the Attacks & Threats category of cybersecurity.
What does ATM Jackpotting mean?
An attack in which the cash dispenser of an ATM is forced to spit out all its cash, either via physical access to the top box or via a network compromise.
How do you defend against ATM Jackpotting?
Defences for ATM Jackpotting typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for ATM Jackpotting?
Common alternative names include: Jackpotting, Cash-out attack.