The $40M Jackpot: DOJ Charges 54 in Nationwide Ploutus ATM Malware Blitz
The U.S. Department of Justice has brought charges against dozens of individuals in connection with a wave of ATM thefts carried out using the Ploutus malware. The department announced that two federal grand juries have issued indictments against a total of 54 defendants, whom prosecutors believe were involved in the development and deployment of a Ploutus variant capable of “emptying” ATMs across the country.
One of the indictments, unsealed earlier this month, concerns a group of 22 individuals. According to investigators, between February 2024 and December 2025 they carried out—or attempted—at least 63 attacks on ATMs, including 54 incidents involving machines operated by credit unions. A second indictment, filed in October and made public this week, names an additional 32 defendants accused of crimes tied to the same scheme.
The Justice Department alleges that the conspirators were connected to Tren de Aragua, a Venezuelan criminal organization recently designated by the U.S. State Department as a foreign terrorist organization. The announcement coincides with renewed pressure from the Donald Trump administration on the Venezuelan government. While the White House has publicly asserted links between Venezuelan leadership and Tren de Aragua, a leaked U.S. intelligence memo in April cast doubt on such connections. Of those named in the case materials, at least one individual—Jimena Romina Araya Navarro—is confirmed to be a Venezuelan national; the nationalities of the remaining defendants have not been disclosed.
Investigators estimate that the 22-person group alone stole at least $5.4 million and failed in attempts to take an additional $1.4 million. Some financial institutions reportedly lost more than $100,000 each, while a single credit union in Kearney, Nebraska, suffered losses of roughly $300,000. Prosecutors describe a typical operation as highly coordinated: teams would identify suitable ATMs in advance, conduct reconnaissance, open the upper compartment of the machine, and then wait nearby to determine whether an alarm was triggered or police responded.
If no alert was raised, the attackers proceeded to install the malware using several methods: removing the storage device and writing the malicious code directly to it, swapping the drive with a pre-infected one containing Ploutus, or connecting an external medium—such as a USB flash drive—that deployed the infection. Authorities stress that the attacks required physical access: the storage device (HDD or SSD) had to be removed, compromised, and reinstalled. Once in place, Ploutus could bypass ATM security controls, after which commands were sent to trigger cash dispensing. Banknotes would then spill from the cassette, while accomplices monitored the machines and checked for the presence of “silent” tamper sensors.
The case files detail specific incidents, including an alleged theft in March 2025 in which the group extracted $79,200 from an ATM in Omaha, Nebraska. In announcing the charges, the Justice Department noted that security researchers and government agencies have been warning about the Ploutus family for nearly a decade. Google researchers have previously described it as one of the most sophisticated ATM malware strains they have encountered. Ploutus was first identified by Symantec in 2013 and has since undergone multiple evolutions; early variants were used in Mexico and enabled criminals to drain ATMs using a connected keyboard or even via SMS—an unprecedented tactic at the time.
Over the years, Ploutus has been deployed against ATMs from multiple manufacturers, including Diebold Nixdorf systems and the Kalignite platform. Diebold Nixdorf itself issued alerts in 2017 and 2018 about Ploutus variants used in thefts in Mexico and the United States. According to investigators, attackers needed either a master key to access the ATM’s upper compartment or the ability to force the lock to connect devices or reach internal components. The malware, they add, is capable of erasing traces of the intrusion. Researchers at Qualys’ Threat Research Unit have stated that Ploutus has evolved continuously over the past 12 years, accumulating new capabilities and achieving compatibility with a wide range of ATM platforms and Windows versions through deliberate study of ATM security models.
U.S. Attorney Leslie Woods added that, according to prosecutors, the stolen cash was divided between those who carried out the physical attacks and the organization’s senior leadership.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
