For years, many attacks on the financial system have been associated with complex digital operations, conducted remotely and using advanced techniques. However, the most recent alert from the Federal Bureau of Investigation () shows a different reality in the United States, in which physical methods, combined with malware, are once again gaining ground to withdraw money from ATMs/ATMs.
According to the FBI, there has been an increase in attacks on ATMs that completely require the use of a bank card, customer account or bank authorization. Instead, criminals resort to physical access to machines to compromise their operation.
The method that is worrying authorities
Only after understanding how this scheme works can you understand the warning. This is a technique known as “jackpotting”, which allows you to force an ATM to release money directly.
According to the FBI’s technical alert, attackers are able to open the front or technical compartment of the machine, often using generic keys, and introduce malware into the system. In some cases, they remove or replace the hard drive; in others, they use external devices to load malicious software.
After restarting, the machine starts responding to the malware’s commands, allowing the release of money without a legitimate transaction and without authorization from the bank.
A problem that is not new, but is growing
According to the FBI, this type of attack has been increasing in the United States. Since 2020, almost 1,900 ATM jackpotting incidents have been reported in that country. In 2025 alone, more than 700 cases occurred, with losses exceeding 20 million dollars.
Europol and Trend Micro had previously described malware targeting ATMs as a threat observed in several regions of the world, with evolution over the years. The alert now released by the FBI confirms a significant increase in the United States and shows that the problem is not limited to a single manufacturer, as many machines use similar technologies.
Old software makes attacks easier
One of the factors highlighted in security reports for this type of vulnerability is the use of outdated operating systems.
Europol and Trend Micro had already warned that many ATMs continued to work with old software, which could facilitate the exploitation of known flaws. The FBI, in turn, explains that the Ploutus malware exploits the XFS layer, used to communicate between the machine system and its physical components.
This type of approach allows you to bypass traditional banking authorization, as commands are sent directly to the machine as money release orders.
And in Portugal?
The FBI alert concerns the United States and does not indicate the existence of a similar vacancy in the Portuguese network. In Portugal, the Multibanco network is managed by SIBS and, according to Banco de Portugal, it functions as a shared and integrated nationwide network.
SIBS states that the Multibanco network has 24-hour security monitoring, surveillance, direct connection to authorities and physical security systems, including gas and explosive detection, inking banknotes unusable and anti-fraud monitoring.
Still, the North American case shows that the security of an ATM does not depend solely on digital protection. When there is direct access to the inside of the machine, the risk also involves physical protection, updating the equipment and the ability to detect anomalous manipulations.
In Portugal, an intrusion of this type could also be criminally classified under the Cybercrime Law, particularly in matters such as illegitimate access, damage to computer programs or data and computer sabotage, in addition to possible property crimes.
Recommended measures
Given this scenario, the FBI recommends several preventive measures to financial institutions and ATM operators.
These include replacing generic locks with more secure systems, installing sensors that detect vibration, temperature changes or improper opening, reinforcing physical barriers and improving video surveillance.
Technical measures are also recommended, such as validating software integrity, disk encryption, controlling unauthorized devices, auditing removable storage, whitelisting hardware and software, monitoring logs and detecting suspicious executables.
The FDIC Office of Inspector General, another North American authority, also alerted banks to the same phenomenon, recommending the exchange of standard keys, alarms in ATM compartments, software encryption and increased surveillance.
An alert that goes beyond digital
This type of attack shows that the security of financial systems does not just depend on firewalls or encryption.
When physical access allows the machine to be compromised, the challenge also becomes structural, requiring hardware updates, reinforcement of protection mechanisms and better detection of suspicious changes.
Unlike card fraud, this attack does not directly target the customer’s PIN or account. The target is the automatic transmission itself and the money stored in the equipment.
In the end, as US authorities warn, apparently simple physical methods, when combined with malware, can exploit weaknesses in systems that initially appear secure.
Also read:
