The U.S. Department of Justice (DoJ) announced this week that 54 individuals have been indicted for their involvement in a multi-million-dollar ATM jackpotting scheme. According to the DoJ, the large-scale operation relied on Ploutus malware to compromise ATMs across the United States, forcing them to dispense cash. Authorities allege that the defendants are affiliated with Tren de Aragua (TdA), a Venezuelan criminal organization designated as a foreign terrorist group by the U.S. State Department.
In July 2025, the U.S. government imposed sanctions on TdA leader Hector Rusthenford Guerrero Flores (also known as Niño Guerrero) and five senior members for participating in illicit activities, including drug trafficking, human smuggling, extortion, sexual exploitation, and money laundering. The Justice Department stated that an indictment returned on December 9, 2025, charges 22 individuals with bank fraud, burglary, and money laundering. Prosecutors claim TdA used jackpotting schemes to steal millions of dollars from U.S. ATMs and distribute the proceeds among its members. A second indictment, filed on October 21, 2025, names 32 additional defendants accused of conspiracy to commit bank fraud, bank burglary, computer fraud, and multiple counts of bank-related offenses. If convicted, the defendants face sentences ranging from 20 to 335 years in prison.
“These defendants employed systematic surveillance and burglary techniques to install malware on ATMs, steal funds, and launder the proceeds—partly to finance terrorism and other criminal activities of TdA,” said Acting Assistant Attorney General Matthew R. Galeotti. The scheme reportedly involved recruiting operatives to deploy Ploutus nationwide. These individuals conducted reconnaissance to evaluate ATM security measures, then attempted to access the machines without triggering alarms. Once inside, they installed Ploutus either by replacing the ATM’s hard drive with one preloaded with malware or by connecting an infected USB drive. The malware issued unauthorized commands to the ATM’s cash dispensing module, enabling fraudulent withdrawals.
Ploutus was designed to erase traces of its presence, misleading bank and credit union employees and concealing evidence of compromise. Conspirators then divided the stolen funds according to predetermined shares. Originally discovered in Mexico in 2013, Ploutus exploits vulnerabilities in ATM systems. A 2014 Symantec report revealed that attackers could trigger cash withdrawals via SMS on compromised ATMs running Windows XP. Later research by FireEye (now Google Mandiant) in 2017 highlighted its ability to control Diebold ATMs and operate across multiple Windows versions. Once deployed, Ploutus-D allows “money mules” to withdraw thousands of dollars within minutes, provided they have a master key, a physical keyboard, and an activation code supplied by the operation’s leader.
Since 2021, U.S. authorities have recorded 1,529 jackpotting incidents, resulting in losses of approximately $40.73 million as of August 2025. “Millions of dollars were stolen from ATMs nationwide and funneled to Tren de Aragua leaders to fund terrorist activities,” said U.S. Attorney Lesley Woods.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
