The Machine in the Wall
It dispenses money. That is its whole purpose, its reason for existing, the one thing it does with any reliability. You feed it your card and your four-digit secret and it counts out whatever you asked for — not a dollar more, not a dollar less, every transaction logged, timestamped, tied to you specifically. The system works because it knows who you are.
Strip that knowledge away. That is the game.
ATM jackpotting is the art of making a cash machine pay out on command — no card, no PIN, no account to debit, no trail leading anywhere useful. Someone pries open the hood, plugs in a device, and walks off. The machine then sits there, quietly, dispensing money into the hands of whoever comes to collect it. Not a metaphor. Not a hypothetical. A thing that happened over 1,800 times across the United States between roughly 2017 and March 2026, according to the FBI's special agent in charge of the Omaha field office — with reported losses topping $55 million.
Ninety-three people were eventually charged in a Nebraska federal prosecution tied to the scheme. The alleged developer of the malware at the centre of it wound up as the 540th name ever added to the FBI's Ten Most Wanted Fugitives list. He had, prosecutors alleged, been running the whole technical operation from Venezuela.
This is what happened. In order.
July 2010: A Researcher Names His Tools
None of it was secret, exactly. That is the part that should bother you.
At a security conference in Las Vegas in July 2010, a New Zealand researcher stood up and showed a room full of professionals how to make ATMs dispense cash on demand. He worked on two models — a Tranax and a Triton, both running Windows CE. The remote attack went through a Tranax. The hands-on demonstration used a Triton. Both machines opened up like cheap luggage. He had named his tools "Dillinger" and "Scrooge." The former handled remote control and machine management. The latter was a firmware rootkit — the kind of thing that burrows in and stays.
He had tried to give this talk the year before. An affected vendor had leaned on his employer, and the presentation was pulled from the 2009 schedule. Nothing was patched in the interim. He came back in 2010 and gave the talk anyway, and his summary of every ATM he had examined was blunt: each one contained what he called a game-over vulnerability. One flaw. Sufficient to own the machine entirely.
The industry heard him. It understood what was coming. What it did about that understanding — and how fast — is a different question.
2013: Ploutus Is Born in Mexico
Three years later, the criminals caught up.
Security researchers in Mexico found malware running on ATMs that had no business being there. It was designed to do one thing: order the cash dispenser to empty itself. Somebody named it Ploutus — after the Greek deity of wealth, which is either a classicist's joke or a statement of intent, depending on your perspective.
The mechanism was a software layer called XFS. eXtensions for Financial Services. The interface that sits between a bank's operating software and the ATM's physical hardware — the part that says, in plain terms, dispense this amount from cassette three. Ploutus reached past everything above it and spoke directly to that layer. No authentication required. No account balance checked. No transaction record created. Just the raw instruction to a dispenser that had been built, from the ground up, to comply.
By 2014, a variant had appeared that accepted commands through SMS messages sent to a mobile phone tethered to the ATM's USB port. Text the machine. Get the money. By 2016 and 2017, a version targeting a specific manufacturer's hardware was circulating. The security firm FireEye analyzed it and reached a conclusion that should have alarmed every banker alive: with minimal code adjustments, the malware could be adapted to work against machines from 40 different manufacturers in 80 countries. The underlying platform it exploited was that universal.
January 2018: The Warning Arrives, Quietly
Word reached American financial institutions in January 2018 — not through any public announcement, but through confidential channels, the kind of alert that moves between industry partners and never gets a press release. Jackpotting had arrived in the United States.
The targets were standalone ATMs. The ones in pharmacies. Big-box retailers. Drive-through bays. Not the monitored, camera-saturated units inside bank branches — the machines in places where a person crouching over an open ATM hood at an odd hour looks, from twenty feet away, more or less like a service technician doing his job.
The industry began patching. The industry kept talking about patching. And a loosely organised network of Venezuelan nationals with very specific technical support continued driving from city to city, opening ATM hoods with generic keys that cost practically nothing, and installing malware that cost them even less.
October 21, 2025: Nebraska Unseals an Indictment
The federal case that would eventually swallow 93 defendants began in the U.S. District Court for the District of Nebraska. On October 21, a grand jury returned the first indictment: 32 individuals, 56 counts. Conspiracy to commit bank fraud. Conspiracy to commit bank burglary and computer fraud. Bank fraud. Bank burglary. Damage to computers.
The losses across all four indictments that would follow: in excess of $6 million to victim financial institutions, with at least $1.74 million more attempted. Each jackpotting attempt, prosecutors noted, produced losses exceeding $100,000.
The method was operational in the way a franchise is operational. Groups of men would travel together, multiple vehicles, to the location of a targeted bank or credit union. They would assess the ATM's external security features. They would open the machine's hood or door — with generic keys, the kind you can order without showing identification — and wait. Watch. See whether opening the cabinet had triggered an alarm response worth worrying about. If nothing came, they proceeded.
The Ploutus variant went in one of three ways: pull the ATM's hard drive, load the malware directly, reinstall; replace the drive outright with one pre-loaded and ready to go; or connect an external device — a thumb drive — that deployed it automatically. Once running, the FBI's subsequent FLASH advisory explained, the malware bypassed bank authorization entirely, exploiting the XFS layer that instructs an ATM what to physically do. It was also, prosecutors alleged, written to delete evidence of itself afterward. Tidy work.
The FBI's advisory — issued February 19, 2026, the day before the final charging announcement — listed the suspicious executable files associated with the malware: Newage.exe, Color.exe, Levantaito.exe, NCRApp.exe, sdelete.exe, Promo.exe, WinMonitor.exe, WinMonitorCheck.exe, and Anydesk1.exe. Remote access tools — AnyDesk and TeamViewer — had been observed running alongside them.
December 9, 2025: The Organization Gets Named
The second indictment arrived December 9, charging 22 more individuals. It was also the moment prosecutors named the organizational force they had been working toward: Tren de Aragua, a Venezuelan criminal group that the United States government had formally designated a Foreign Terrorist Organization. Prosecutors alleged the jackpotting scheme was theirs.
Among those charged in December was an alleged gang leader described as a Venezuelan entertainer who had been sanctioned by the U.S. Treasury's Office of Foreign Assets Control. The Treasury alleged she had helped the head of Tren de Aragua escape from a Venezuelan prison in 2012. All defendants are presumed innocent until proven guilty.
The money structure, as prosecutors described it in a related New England case filed months later, was clean and uncomplicated: 50 per cent of every jackpot went to Tren de Aragua leadership in Venezuela. The other 50 per cent stayed with the ground crew — the men who had driven out, opened the machines, waited in parking lots for police that usually did not come.
Half to the people at the top, sitting overseas, untouched. Half to the people standing next to a humming ATM at two in the morning, wearing coveralls that made them look like technicians.
Prior Cases: The Threads Were Already There
Nebraska was not the beginning. It was the consolidation.
In 2019, federal prosecutors in Utah charged seven Venezuelan nationals in connection with jackpotting attacks on ATMs in Washington state and one machine in Sandy, Utah, plus attempted attacks on additional Salt Lake City-area units. Total taken: $306,200. One defendant eventually pleaded guilty to conspiracy to commit bank theft and was sentenced to 42 months in federal prison.
In Mississippi, two alleged Tren de Aragua members were sentenced for jackpotting attacks carried out in November 2024. Ten months each, three years of supervised release, $47,250 in restitution apiece. The Mississippi attorney general's office estimated the operation had steered away from nearly $180,000 in additional losses. Both defendants were to be deported after completing their sentences.
In February 2026, a federal case in Massachusetts charged two more Venezuelan nationals — arrested February 5 in Augusta, Maine, following an attempted jackpotting robbery there — with conspiracy to commit bank theft. Prosecutors linked them to attacks across Connecticut, Massachusetts, New Hampshire, and Rhode Island. Both are presumed innocent until proven guilty.
Same method. Same malware family. Same basic architecture of travel, reconnaissance, access, extraction, disappearance. Different states, different years, different defendant names. Something with roots going down a long way.
January and February 2026: The Count Climbs
A third Nebraska indictment, returned January 21 and announced January 26, 2026, added 31 defendants. Running total: 87.
The fourth indictment — returned February 18, announced February 20 — charged six more. Their names, from the charging document: Wester Eduardo Dugarte Goicochea, 43; Mauro Angel Briceno Caldera, 37; Henry Rafael Gonzalez-Gutierrez, 37; Giovanny Miguel Ocanto Yance, 26 — all Venezuelan nationals, all residing in the Houston area at the time of charging. Plus Jelfenson David Bolivar Diaz, 38, and Arlinzon Jose Reyes Villegas, 21, both Venezuelan nationals. Same five charges as indictment one.
Total: 93 defendants. The Justice Department noted that in the six months preceding February 20, 2026, charges had been brought against 93 Tren de Aragua members and leaders in the Nebraska prosecution. Maximum sentences, if convicted, run from 20 to 335 years depending on the specific counts. All defendants are presumed innocent until proven guilty.
The FBI's February 2026 FLASH advisory quantified what had been building in the background: out of 1,900 ATM jackpotting incidents reported to federal authorities since 2020, more than 700 — generating losses exceeding $20 million — had occurred in 2025 alone. The FBI's Omaha special agent in charge put the longer view plainly: since roughly 2017, there had been over 1,800 reported jackpotting incidents across the United States, with losses exceeding $55 million.
March 12, 2026: Fugitive Number 540
The investigation had always pointed toward one name.
He had not, as far as prosecutors could determine, ever needed to set foot near an ATM. He worked remotely. From Venezuela, according to the FBI, using remote access software to install the malware on target machines while crews on the ground handled the physical side. He had been doing this, agents believed, since approximately 2017. He had built the Ploutus variant the crews deployed. His operational aliases were "The Engineer" and "Prometheus."
On March 12, 2026, he became the 540th person added to the FBI's Ten Most Wanted Fugitives list in the history of that list, which began in March 1950. The FBI also stated he was the first person accused of cybercrime ever placed on it.
His federal arrest warrant had been issued December 9, 2025, District of Nebraska. The charges: conspiracy to commit bank fraud; conspiracy to commit bank burglary and intentionally damage a protected computer system; conspiracy to commit money laundering; conspiracy to provide material support to terrorists. A reward of up to $1 million was offered for information leading to his capture.
As of this writing, he has not been apprehended.
What the Machine Never Knew
The ATM does not have opinions. It does not weigh the merit of instructions. It receives a command through a software layer and it executes — because that is the design, and the design has not fundamentally changed since the machines first appeared on pharmacy walls.
The XFS interface that Ploutus exploits is not a flaw in the traditional sense. It is how every legitimate cash withdrawal you have ever made was processed. It is the channel through which the bank's system tells the dispenser's hardware what to do. Reaching that layer — directly, without the authentication and logging sitting above it — requires physical access. Someone has to open the machine. Someone has to connect a device. The lock on the hood has to be defeatable, and in the machines targeted in these attacks, it was: generic keys, widely available.
The FBI's February 2026 advisory laid out what financial institutions should be doing: cryptographic validation of hard-drive integrity against a clean reference image; auditing of removable-storage insertions and process creation; software and device whitelisting; replacement of standard locks with hardened alternatives; physical threat sensors; disk encryption; firmware integrity checks. Recommended steps. Not regulations. The difference matters, and the people running ATM crews across six years and over 1,800 incidents understood it.
The machine paid out when it was told to pay out. That is what it was built to do. Nobody told it any different.
Behind the Story
The facts in this article are drawn exclusively from published primary government sources. Every quantitative claim is attributed to its specific source document with the date that document was issued, because the investigation generated multiple loss figures covering different time ranges that cannot responsibly be used interchangeably.
Primary sources examined: the full series of U.S. Department of Justice press releases from the District of Nebraska and the DOJ Office of Public Affairs, October 21, 2025 through February 20, 2026; the FBI Ten Most Wanted listing and the FBI Omaha field office release for the alleged mastermind of the scheme, March 12, 2026; FBI Internet Crime Complaint Center FLASH advisory FLASH-20260219-001, February 19, 2026, retrieved from ic3.gov; U.S. Attorney's Office sentencing records from the Northern District of Mississippi; U.S. Attorney's Office charging documents from the District of Massachusetts, February 26, 2026; and the FBI published news story containing the Omaha special agent in charge's stated loss and incident figures.
Claims excluded for failure to meet primary-source verification: a widely cited figure describing ATM cash dispensing speed, which traces to 2018 media coverage of a non-public internal security industry memo and has no published government document as its basis. Per-incident loss amounts from the Massachusetts case that do not appear in the DOJ charging release. Technical and historical claims about specific ATM malware variants sourced entirely from private security firms. A loss figure attributed to a DOJ Nebraska release that exists only as text embedded within a map graphic, not in any prose sentence in the document.
The 2018 arrival of jackpotting attacks in the United States is drawn from confidential industry alerts reported contemporaneously by the security press. No public primary government document from that period confirmed those specifics on the record. The 2010 security conference demonstration and early Ploutus development history are drawn from security-industry and security-press sources and are presented as context, not as government-verified fact.
All defendants named in this article are identified from federal charging documents. All are presumed innocent until proven guilty in a court of law.
AI assistance was used in research and drafting. All factual claims were verified against primary sources before publication.