ATM jackpotting, once considered a niche cybercrime technique, has now reached a level where it is drawing the attention of the highest levels of law enforcement. The FBI has added Anibal Alexander Canelon Aguirre, an alleged leader of a global ATM jackpotting operation, to its Ten Most Wanted Fugitives list, highlighting the growing threat posed by cyber-enabled financial crime. The announcement was made by FBI Omaha Special Agent in Charge Eugene Kowel and U.S. Attorney for the District of Nebraska Lesley Woods, who said Aguirre allegedly orchestrated a large-scale ATM jackpotting conspiracy that targeted banks across the United States. Authorities believe the operation generated millions of dollars that ultimately supported Tren de Aragua, a transnational gang designated as a foreign terrorist organization.

ATM Jackpotting at the Center of the Case

At the heart of the investigation is ATM jackpotting, a cyberattack technique in which criminals install ATM malware to force machines to dispense cash without authorization. Instead of physically robbing a bank vault, attackers exploit software vulnerabilities in the ATM system. According to investigators, Aguirre allegedly led teams that traveled across the United States to carry out these attacks. Once the ATM jackpotting malware was installed, cash withdrawals could be triggered on command, allowing crews to quickly empty machines. Law enforcement officials say this was not a series of isolated attacks. The operation allegedly involved a coordinated network where the stolen money moved through complex laundering channels before reaching the criminal organization behind the scheme. [caption id="attachment_110176" align="aligncenter" width="626"] Image Source: FBI[/caption]

Charges Linked to Cybercrime and Financial Fraud

A federal arrest warrant for Aguirre was issued on December 9, 2025, in the U.S. District Court for the District of Nebraska. Prosecutors have charged him with multiple offenses connected to the ATM jackpotting conspiracy, including:

• Conspiracy to commit bank fraud
• Conspiracy to commit bank burglary and damage a protected computer system
• Conspiracy to commit money laundering
• Conspiracy to provide material support to terrorists

The case is being investigated through Joint Task Force Vulcan, working alongside the Computer Crime and Intellectual Property Section (CCIPS) of the U.S. Department of Justice. Officials say the charges reflect the scale and seriousness of the alleged cybercrime network.

Why ATM Jackpotting Is Now a National Security Concern

For years, ATM jackpotting attacks were largely viewed as financial crimes affecting banks and ATM operators. But this case demonstrates how cybercrime techniques can intersect with organized crime and even terrorism financing. Special Agent Eugene Kowel said the alleged ATM jackpotting operation created a “multimillion-dollar revenue stream” that ultimately supported the activities of Tren de Aragua. This development signals an important shift in how authorities view ATM jackpotting malware attacks. What once looked like opportunistic cyber theft is now seen as a tool that organized criminal groups can use to generate funds at scale. The decision to place Aguirre on the FBI Ten Most Wanted list—a list historically reserved for violent offenders—shows how seriously authorities are treating the threat.

First Cyber Fugitive on the FBI’s Most Wanted List

Aguirre’s addition to the list is significant for another reason. He is the first cyber fugitive to appear on the FBI’s Ten Most Wanted Fugitives list since it was created in 1950. The list has included 540 fugitives over the decades, and more than 500 have been captured or located, often with assistance from the public. The FBI believes public awareness could once again play a key role in locating Aguirre. Officials say the suspect should be considered armed and dangerous. He is described as a 49-year-old man with black and gray hair, approximately 5’5” to 5’7” tall, and weighing about 190 pounds. Authorities say he has connections in Venezuela and Mexico and speaks Spanish.

Public Help Could Be Critical

The FBI is offering a reward of up to $1 million for information leading to Aguirre’s arrest. Investigators are urging anyone with information to contact the FBI tip line or submit information online. Beyond the manhunt, the case serves as a reminder that ATM jackpotting attacks are no longer just technical exploits. When cybercrime merges with organized criminal networks, the financial damage can quickly turn into a broader security issue.

The FBI warns ATM jackpotting is rising nationwide, with over $20 million lost in 2025 and 1,900 incidents reported since 2020.

The FBI has warned of a sharp rise in ATM jackpotting attacks across the U.S., with losses exceeding $20 million in 2025 alone. Since 2020, about 1,900 incidents have been reported, including 700 last year. According to the Department of Justice (DoJ), total losses tied to jackpotting have reached roughly $40.7 million since 2021.

“The Federal Bureau of Investigation (FBI) is releasing this FLASH to disseminate indicators of compromise (IOCs) and technical details associated with malware enabled ATM jackpotting.” reads the FLASH alert published by the FBI. “Threat actors exploit physical and software vulnerabilities in ATMs and deploy malware to dispense cash without a legitimate transaction.”

Criminals are deploying ATM jackpotting malware such as Ploutus to force cash machines to dispense money without authorization. The malware targets the eXtensions for Financial Services (XFS) layer, which controls ATM hardware. By sending rogue commands directly to XFS, attackers bypass bank approval and trigger withdrawals without cards or accounts. Once installed, Ploutus gives full control of the ATM, enabling fast cash-outs in minutes.

To infect machines, attackers usually gain physical access, open the cabinet with generic keys, and either copy malware onto the hard drive or replace it with a preloaded one. Exploiting Windows systems, the malware works across different ATM brands with minimal changes.

The Flash alert includes Indicators of Compromise (IOCs) for these attacks.

The jackpotting technique was first proposed by white-hat hacker Barnaby Jack in 2010.

Ploutus is one of the most sophisticated ATM malware that was first discovered in Mexico back in 2013. The malicious code allows crooks to steal cash from ATMs using either an external keyboard attached to the machine or by sending SMS messages.

In January 2018, experts at FireEye Labs discovered a new version of the Ploutus ATM malware, the so-called Ploutus-D, that works on the KAL’s Kalignite multivendor ATM platform.

The experts observed the Ploutus-D in attacks against ATM of the vendor Diebold, but the most worrisome aspect of the story is that minor changes to the malware code could allow Ploutus-D to target a wide range of ATM vendors in 80 countries.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ATM jackpotting)