The US Department of Justice (DoJ) announced this week that it has indicted 54 people in connection with a multi-million dollar ATM jackpot scheme.
This massive conspiracy involved deploying malware named Ploutus to hack Automated Teller Machines (ATMs) across the United States and force them to withdraw cash. The indicted members are alleged to be members of the Venezuelan gang Torren de Aragua (TdA, Spanish for “Aragua Train”), which is listed as a foreign terrorist organization by the U.S. State Department.
In July 2025, the U.S. government announced sanctions against the group’s head, Hector Rustenford Guerrero Flores (also known as Niño Guerrero), and five other key members for their involvement in “illicit drug trafficking, human trafficking, extortion, sexual exploitation of women and children, money laundering, and other criminal activities.”
The Department of Justice announced that a group of 22 people were charged with bank fraud, robbery, and money laundering in an indictment returned on December 9, 2025. Prosecutors also alleged that TdA used the jackpot scheme to siphon millions of dollars in the United States and transfer the ill-gotten proceeds to members and associates.
An additional 32 people were indicted a second time, with related indictments returned on October 21, 2025, charging them with “one count of conspiracy to commit bank fraud, one count of conspiracy to commit bank robbery and computer fraud, 18 counts of bank fraud, 18 counts of bank robbery, and 18 counts of computer damage.”
If convicted, the defendants could face up to 20 to 335 years in prison.
“These defendants used systematic surveillance and theft techniques to install malware on ATM machines and to steal and launder funds from ATM machines as part of their financing of terrorism and a wide range of other criminal activities of the TDA, which is designated as a foreign terrorist organization,” said Acting Assistant Attorney General Matthew R. Galeotti of the Justice Department’s Criminal Division.
Operation Jackpot allegedly relied on TdA recruiting an unspecified number of individuals to deploy malware across the country. These individuals then perform initial reconnaissance to assess the external security measures in place at various ATMs and determine whether opening the hood of an ATM would trigger an alarm or law enforcement response.
Following this step, the attacker installs Ploutus by replacing the hard drive with one preloaded with the malicious program or by attaching a removable thumb drive. The malware has the ability to issue malicious commands related to the ATM’s cash dispensing module in order to force currency withdrawals.
“The Ploutus malware was also designed to remove evidence of malware in order to conceal, falsely mislead, mislead, or otherwise deceive bank and credit union employees from knowing about the deployment of the malware on ATMs,” the Justice Department said. “Members of the conspiracy would then divide the proceeds into predetermined portions.”
Ploutus was first detected in Mexico in 2013. In a 2014 report, Symantec detailed how a vulnerability in Windows XP-based ATMs could be exploited to allow cybercriminals to withdraw cash by simply sending an SMS to an infected ATM. A subsequent analysis in 2017 by FireEye (now part of Google Mandiant) detailed the ability to control Diebold ATMs and run them on different Windows versions.
“By introducing Ploutus-D into ATMs, money mules can access thousands of dollars in minutes,” the company said at the time. “In order to withdraw money from an ATM, a money mule must have a master key to open (or be able to pick) the top of the ATM, a physical keyboard to connect to the machine, and an activation code (provided by the supervisor responsible for the operation).”
According to the agency, a total of 1,529 jackpot incidents have been recorded in the United States since 2021, with approximately $40.73 million lost to international criminal networks as of August 2025.
“As a result of this conspiracy, millions of dollars were allegedly drained from ATMs across the United States, with the money allegedly going to Tren de Aragua leaders to fund terrorist activities and purposes,” said U.S. Attorney Leslie Woods.
Source link
