{
	"id": "df7edba2-5643-4626-9419-3a54e2b89e73",
	"created_at": "2026-04-06T00:14:55.503159Z",
	"updated_at": "2026-04-10T03:21:55.58587Z",
	"deleted_at": null,
	"sha1_hash": "7eff7422e0d5690ea55dede921ae2dc006eb33d3",
	"title": "ATM robber WinPot: a slot machine instead of cutlets",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 255344,
	"plain_text": "ATM robber WinPot: a slot machine instead of cutlets\r\nBy Konstantin Zykov\r\nPublished: 2019-02-19 · Archived: 2026-04-05 22:26:43 UTC\r\nAutomation of all kinds is there to help people with their routine work, make it faster and simpler. Although ATM\r\nfraud is a very peculiar sort of work, some cybercriminals spend a lot of effort to automate it. In March 2018, we\r\ncame across a fairly simple but effective piece of malware named WinPot. It was created to make ATMs by a\r\npopular ATM vendor to automatically dispense all cash from their most valuable cassettes. We called it ATMPot.\r\nExample of WinPot interface – dispensing in action\r\nThe criminals had clearly spent some time on the interface to make it look like that of a slot machine. Likely as a\r\nreference to the popular term ATM-jackpotting, which refers to techniques designed to empty ATMs. In the\r\nWinPot case, each cassette has a reel of its own numbered 1 to 4 (4 is the max number of cash-out cassettes in an\r\nATM) and a button labeled SPIN. As soon as you press the SPIN button (in our case it is greyed out because we\r\nare actually dispensing cash), the ATM starts dispensing cash from the corresponding cassette. Down from the\r\nSPIN button there is information about the cassette (bank note value and the number of bank notes in the cassette).\r\nThe SCAN button rescans the ATM and updates the numbers under the SLOT button, while the STOP button stops\r\nthe dispensing in progress.\r\nWe found WinPot to be an amusing and interesting ATM malware family, so we decided to keep a close eye on it.\r\nOver the course of time, new samples popped up, each one with minor modifications. For example, a changed\r\npacker (like Yoda and UPX) or updated time period during which the malware was programmed to work (e.g,\r\nduring March). If system time does not fall in with the preset period, WinPot silently stops operating without\r\nshowing its interface.\r\nThe number of samples we had found was also reflected in the European Fraud Update published in the summer\r\nof 2018. It has a few lines about WinPot:\r\nhttps://securelist.com/atm-robber-winpot/89611/\r\nPage 1 of 4\n\n“ATM malware and logical security attacks were reported by nine countries. Five of the countries\r\nreported ATM related malware. In addition to Cutlet Maker (used for ATM cash-out) a new variant\r\ncalled WinPot has been reported…”\r\nSame as Cutler Maker, WinPot is available on the (Dark)net for approximately 500 – 1000 USD depending on\r\noffer.\r\nOne of the sellers offers WinPot v.3 together with a demo video depicting the “new” malware version along with a\r\nstill unidentified program with the caption “ShowMeMoney”. Its looks and mechanics seem quite similar to those\r\nof the Stimulator from the CutletMaker story.\r\nhttps://securelist.com/atm-robber-winpot/89611/\r\nPage 2 of 4\n\nUnidentified Stimulator-like sample from demo video\r\nWinpot v3 sample from demo video\r\nDue to the nature of ATM cash-out malware, its core functionality won’t change much. But criminals do encounter\r\nproblems, so they invent modifications:\r\nTo trick the ATM security systems (using protectors or other ways to make each new sample unique);\r\nTo overcome potential ATM limitations (like maximum notes per dispense);\r\nTo find ways to keep the money mules from abusing their malware;\r\nTo improve the interface and error-handling routines.\r\nWe thus expect to see more modifications of the existing ATM malware. The preferred way of protecting the ATM\r\nfrom this sort of threat is to have device control and process allowlisting software running on it. The former will\r\nblock the USB path of implanting the malware directly into the ATM PC, while the latter will prevent execution of\r\nunauthorized software on it. Kaspersky Embedded Systems Security will further help to improve the security level\r\nof the ATMs.\r\nKaspersky Lab products detect WinPot and its modifications as Backdoor.Win32.ATMPot.gen\r\nhttps://securelist.com/atm-robber-winpot/89611/\r\nPage 3 of 4\n\nSample MD5:\r\n821e593e80c598883433da88a5431e9d\r\nSource: https://securelist.com/atm-robber-winpot/89611/\r\nhttps://securelist.com/atm-robber-winpot/89611/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://securelist.com/atm-robber-winpot/89611/"
	],
	"report_names": [
		"89611"
	],
	"threat_actors": [],
	"ts_created_at": 1775434495,
	"ts_updated_at": 1775791315,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7eff7422e0d5690ea55dede921ae2dc006eb33d3.pdf",
		"text": "https://archive.orkl.eu/7eff7422e0d5690ea55dede921ae2dc006eb33d3.txt",
		"img": "https://archive.orkl.eu/7eff7422e0d5690ea55dede921ae2dc006eb33d3.jpg"
	}
}