{
	"id": "751e512c-2bce-4f2b-b269-73dc6761878d",
	"created_at": "2026-04-06T00:11:26.09408Z",
	"updated_at": "2026-04-10T03:22:50.427049Z",
	"deleted_at": null,
	"sha1_hash": "f8d74e2cd7589d152af2c4d084a1189721ad8388",
	"title": "ATM Malware and Jackpotting Attacks Could Be Making a Return",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 43834,
	"plain_text": "ATM Malware and Jackpotting Attacks Could Be Making a\r\nReturn\r\nBy Nicole Lindsey\r\nPublished: 2019-10-23 · Archived: 2026-04-05 22:53:03 UTC\r\nJust a few years ago, there were concerns that ATM malware and jackpotting attacks could represent a clear and\r\npresent danger to the world’s financial system, with ATM machines around the globe at risk of attack. In 2017 and\r\n2018, for example, ATM malware and jackpotting attacks (in which ATM machines are reprogrammed by hackers\r\nto dispense cash in large amounts) suddenly started to appear in the U.S. and Europe for the first time. And now,\r\nevidence is mounting that these ATM malware and jackpotting attacks could be making a return a few years later,\r\nalbeit with new twists and approaches.\r\n- Advertisement -\r\nThe return of ATM malware and jackpotting attacks\r\nMuch of the new buzz around the return of jackpotting is based around a new joint investigation from VICE\r\nMotherboard and the German broadcaster Bayerischer Rundfunk (BR) into the technology and approaches used\r\nby German cybercriminals to pull off a series of bold and audacious attacks on German banks back in 2017.\r\nAccording to evidence assembled from bank and law enforcement officials, it now looks like ten different\r\njackpotting attacks took place between February and November 2017, with combined losses of close to €1.4\r\nmillion.\r\nGiven the similarity of these German attacks, there is a strong indication that cybercriminals linked to a single\r\nsyndicate might be involved. The attacks appeared to be targeting ATM machines from Diebold Nixdorf and\r\nSantander Bank. The cybercriminals also showed a preference for a particular piece of ATM malware known as\r\nCutlet Maker. (In Russian crime jargon, a “cutlet” refers not just to a piece of meat, but also to a bundle of bank\r\nnotes.) When the bank ATM machines were hacked, they displayed a message from Cutlet Maker: “Ho-ho-ho!\r\nLet’s make some cutlets today!” This message was accompanied by a picture of a chef and a piece of meat\r\ndisplayed on the monitor of the ATM.\r\nAn earlier form of this ATM malware first appeared back in 2010, when security researcher Barnaby Jack\r\ndemonstrated at a Black Hat security conference how he could make an ATM machine spit out cash and display a\r\n“JACKPOT” message at the same time. For cybercriminals, there is apparent joy in not only carrying out a mini-bank heist, but also letting everyone know exactly how an ATM jackpotting attack was carried out.\r\n- Advertisement -\r\nHow ATM malware and jackpotting attacks are carried out\r\nhttps://www.cpomagazine.com/cyber-security/atm-malware-and-jackpotting-attacks-could-be-making-a-return/\r\nPage 1 of 3\n\nThe audacity of the traditional jackpotting ATM attack is based on the premise that cybercriminals need to gain\r\nphysical access to an ATM machine – this is not an attack that can be pulled off online, or solely with the use of\r\nstolen credit cards. Instead, the cybercriminals need to install the malware code directly into the machine. The\r\neasiest way to do this is via a USB port, CD/DVD port, or networking socket inside the ATM machine – this\r\nrequires cybercriminals to pry open part of the machine and attach a computing device into the USB port so that\r\nthe jackpotting malware can be uploaded.\r\nWhen these attacks started to take place in 2017, they were relatively novel and even ATM manufacturers didn’t\r\nknow how to prevent them from taking place. While ATM machines might look like fancy pieces of computing\r\nequipment from the outside, on the inside they are basically old, slow Windows machines that are hard to update\r\nwith security patches. But very rapidly, banks and ATM operators figured out a way to install security software\r\nthat actively searches out and denies any malware from going to work inside the ATM machine.\r\nThat helps to explain why, after a sudden burst of activity in 2017, we’ve heard very little about ATM malware\r\nand jackpotting exploits since then. But now, say security researchers, cybercriminals are simply changing their\r\ntactics, They are now favoring a more extreme tactic known as a “black box attack” (aka “logical attack) in which\r\nthe cybercriminals must drill holes in the ATM, so that they can connect a laptop to the ATM. Once the connection\r\nis made, that is when they can physically attack the ATM’s internal computer, in order to re-program it to spit out\r\ncash as if it were a Vegas slot machine. This process is not nearly as easy as earlier ATM attacks, of course.\r\nTim Erlin, VP, product management and strategy at Tripwire, comments on the current state of ATM security: “We\r\nlike to think of cybersecurity as being limited to software, but the physical security of devices is part of the\r\nequation. If you logically protect a system, but leave exposed physical access, you have left risk unaddressed.”\r\n“Requiring that criminals physically access a machine to carry out an attack does limit the scalability of that attack\r\ntechnique,” says Erlin. “We won’t see hundreds of ATMs simultaneously jackpotted with this technique, but it’s\r\nstill a problem for the ATM owners. “Other industries have dealt with the threat of USB-based attacks by disabling\r\nthe ports in the operating system or even going so far as to fill them with glue. While this is a particularly dramatic\r\nattack, using USB ports to carry out attacks isn’t new.”\r\n- Advertisement -\r\nCybercriminals continue to innovate and change attack strategies\r\nGiven the time, expense and risk of sitting in front of an ATM machine and drilling a hole in it – something that\r\npresumably would be captured by security cameras or attract the attention of security personnel or bank customers\r\n– cybercriminals have been forced to change and adapt their tactics. That fact is made clear by another report, this\r\none from the European Society for Secure Transactions (EAST). The EAST report indicates that traditional ATM\r\nmalware and black box “logical” attacks are on the demise across Europe, presumably due to beefed up security at\r\nthese machines.\r\nDuring the first six months of 2019, the number of attacks declined by 43% compared to the year-earlier period.\r\nAnd cybercriminals only were able to carry out one successful attack, for less than $1,000. As a result, EAST says\r\nthat related losses due to traditional ATM malware and jackpotting attacks fell by 100% compared to the year-earlier period.\r\nhttps://www.cpomagazine.com/cyber-security/atm-malware-and-jackpotting-attacks-could-be-making-a-return/\r\nPage 2 of 3\n\nInstead, attackers appear to be favoring much more of a dramatic “smash and grab” approach to ripping off ATM\r\nmachines. The EAST report details a number of these physical attacks, which include a mix of “ram raids” (in\r\nwhich heavy objects are rammed into ATM machines in order to open them up), explosive device attacks (in\r\nwhich explosives are used to blow open a hole to the cash in the ATM), and even attacks where attackers simply\r\ncarry away the entire ATM machine from the premises of a bank in order to break it open at a “safe” location.\r\n- Advertisement -\r\nIn addition to these brute force attacks, cybercriminals are also experimenting with a form of ATM fraud known as\r\nTRF, a form of transaction reversal fraud in which ATM machines are “tricked” into thinking that a bank card has\r\nbeen jammed in the machine. At this point, the ATM machine has already prepared a certain amount of cash to\r\ndispense as part of the transaction – and that’s when cybercriminals go to work. At the exact moment that the ATM\r\nmachine is reversing the transaction, the cybercriminals are prying open the cash drawer of the ATM to pull out\r\nthe cash. This results in cash being dispensed at the same time as the money is being credited back to the account.\r\nThe cat-and-mouse game between cybercriminals and law enforcement\r\nAll of these examples should help to illustrate both how creative cyber criminals have become, and also how\r\nmuch more risky and dangerous ATM attacks have become. Some hackers would have you believe that, as soon as\r\nyou purchase a piece of ATM malware like Cutlet Maker on the Dark Web, you can start a mini-crime spree of\r\njackpotting at your local ATM machines. But, as the EAST report demonstrates, success rates are still very low,\r\nand even when they are successful, the amount of cash that can be withdrawn is less than might be expected.\r\nStill, there is reason for concern that hackers will continue to innovate and come up with novel ATM malware and\r\njackpotting schemes. It is, perhaps, only a matter of time before law enforcement officials in both Europe and the\r\nU.S begin to worry about a new crime spree of jackpotting attacks. After a brief lull, these ATM jackpotting\r\nattacks could return with greater size and sophistication.\r\n- Advertisement -\r\nSource: https://www.cpomagazine.com/cyber-security/atm-malware-and-jackpotting-attacks-could-be-making-a-return/\r\nhttps://www.cpomagazine.com/cyber-security/atm-malware-and-jackpotting-attacks-could-be-making-a-return/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.cpomagazine.com/cyber-security/atm-malware-and-jackpotting-attacks-could-be-making-a-return/"
	],
	"report_names": [
		"atm-malware-and-jackpotting-attacks-could-be-making-a-return"
	],
	"threat_actors": [
		{
			"id": "b740943a-da51-4133-855b-df29822531ea",
			"created_at": "2022-10-25T15:50:23.604126Z",
			"updated_at": "2026-04-10T02:00:05.259593Z",
			"deleted_at": null,
			"main_name": "Equation",
			"aliases": [
				"Equation"
			],
			"source_name": "MITRE:Equation",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434286,
	"ts_updated_at": 1775791370,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f8d74e2cd7589d152af2c4d084a1189721ad8388.pdf",
		"text": "https://archive.orkl.eu/f8d74e2cd7589d152af2c4d084a1189721ad8388.txt",
		"img": "https://archive.orkl.eu/f8d74e2cd7589d152af2c4d084a1189721ad8388.jpg"
	}
}