top of page
Search

The Engine Behind ATM Fraud: Inside Organized Criminal Groups

  • NuSource
  • 6 days ago
  • 5 min read
A person's hands are controlled by puppet strings while typing on a laptop.

Organized Criminal Groups: The Engine Behind ATM Fraud

  • It’s important to understand that most logical and physical ATM attacks aren't the work of lone amateurs. 

  • These crimes are typically carried out by organized criminal groups with significant resources and international reach. 

  • Based on industry intelligence and field reports, many incidents have been traced back to Eastern European crime syndicates, with Romanian crime families frequently identified as key players in these schemes.

  • ATM crime trends often originate internationally, with threat activity frequently first emerging in Europe or South America before migrating to the United States. These global attack patterns often serve as early indicators of the tactics that will eventually affect domestic machines.

  • These operations are highly coordinated and profit-driven, functioning more like illicit businesses than spontaneous crimes. 

  • The individuals executing the attacks at the branch level are often low-level operatives, following detailed instructions passed down from more sophisticated players who design and distribute the equipment.

  • Many of the devices used in these attacks are readily available for purchase online. 

  • Some are listed openly on search engines, while more advanced versions are found on dark web marketplaces. These kits often include step-by-step instructions, and disturbingly, some vendors offer technical support hotlines, allowing buyers to troubleshoot issues in real time, as if they were dealing with a legitimate software company.

  • This level of support and scalability shows that these aren't isolated incidents

  • They’re part of a global criminal infrastructure designed to quickly and discreetly extract liquid cash from Financial Institutions and their customers. 

  • As a result, Financial Institutions must treat these threats as organized business operations, not just individual crimes of opportunity.



Jackpotting Crews Typically Operate in Coordinated Units as Four Distinct Roles:


Descriptions of each role: tech team, cash-out team, command and control, remote engineer

In many of these ATM attacks, you’ve got a group of on-site individuals handling the physical side of the operation, but they’re not the ones with technical expertise. 


The real threat is the remote engineer supporting them behind the scenes. These individuals have a deep understanding of both computing and ATM architecture, and they’re the ones custom-designing these attacks based on the specific hardware and software they encounter in the field.


Attackers will steal hard drives without much success, although the drives weren’t encrypted, they still couldn’t get the machines to dispense cash. But after a couple of weeks, they will solve whatever issue blocked them. Soon after, successful jackpotting attacks will increase significantly, suggesting that the attackers had refined their malware to work with those specific ATM models.


These are not opportunistic, low-skill hacks. They are well-coordinated, malware-driven jackpotting campaigns led by technically skilled individuals who are actively adapting their methods.



The teams generally consist of individuals fulfilling two core functions: 

  • Installers (those who physically access and prep the ATM) and cashers (those executing the theft). 

  • However, these roles often overlap—team members may rotate responsibilities across different attacks.

  • From the technical side, remote access software such as AnyDesk, TeamViewer, or FlexiHub is used to connect to stolen ATM hard drives. A common method includes removing the ATM's hard drive, connecting it to a cradle or docking station in a nearby vehicle, and giving it hotspot connectivity.

    •  The remote engineer then accesses the drive from another location to probe it for vulnerabilities, often looking for unencrypted partitions. If found, malware is deployed to the drive, which is later reinserted to execute the attack.

  • Teams typically range from 2 to 8 individuals and often use multiple vehicles during an operation. 

    • These vehicles might not appear directly in FI surveillance footage, so observing traffic patterns and vehicle behavior around branches can be critical. Counter-surveillance is common.



Indicators and Attack Preparation

A security camera's view of a man with a hood looking like he's video chatting with someone or taking a photo of an ATM

  • Before an actual jackpotting event, attackers often conduct recon:

    • Taking photos or videos of the ATM while on a video call—often wearing earbuds or headphones.

    • Returning days later to carry out the attack.

    • In some cases, hard drives are stolen ahead of time but not immediately exploited; this is a key red flag.

    • Attackers may even perform a hard drive swap, testing if vulnerabilities carry over due to lax security configurations.

  • Many regional banks and credit unions fall victim because they don’t have full security protocols in place. Attackers are known to test machines for weaknesses, especially in the dispenser or software.

  • Older ATM models tend to be easy targets for attackers; they’re often considered the low-hanging fruit. 

  • Unfortunately, there’s only so much that can be done to secure those legacy systems due to their outdated hardware and software limitations.



Security Recommendations

  • Encrypt all hard drives fully – attackers often test for unencrypted sectors they can exploit.

  • Implement device whitelisting – prevent rogue hardware from being recognized by the ATM unless pre-approved by device ID.

  • Monitor for recon behavior – unusual visits, photo-taking, or headphone use may indicate prep work.

  • Stay vigilant for hard drive theft – even if nothing immediately follows, the theft itself is a precursor to a larger exploit.



Jackpotting Team Structure and Trends

1. There are 10 active groups working across various regions of the country at any given time.

  • Attacks tend to occur in waves or cycles, with multiple teams carrying out coordinated activities simultaneously.


2. The individuals involved are predominantly foreign nationals. Historically, different types of fraud have been associated with distinct groups:

  • Romanian Organized Crime for ATM Skimming

  • Venezuelans for Jackpotting

  • Cubans and Armenians for gas pump skimming. 



However, jackpotting in the U.S. emerged around 2017, having already been seen extensively across Europe, Central America, and South America. When early tests in the U.S. proved successful, organized criminal networks began repurposing Venezuelan crews already in the States to focus specifically on jackpotting activity.



Prevention and Response Protocols for Jackpotting Attacks are CRITICAL

  1. Proactively update recommended security updates. 

  2. Develop a well-structured incident response plan for an active attack. 



One key oversight we've seen is in how alarms are configured. While many institutions alarm the safe (where the cash is stored), they often neglect to alarm the top hat—the ATM's upper portion that can still be exploited.


We recommend alarming both the top and bottom portions of the ATM with audible alarms, and coordinating with and educating law enforcement to ensure tampering is not labeled as a false alert when the theft is not visible.


Contact your NuSource representative to discuss how to best protect your financial institution. Our techs and software are top-tier.




Protect and Prevent

If an ATM alarm is triggered or suspicious activity is detected, it's critical to immediately review surveillance footage and relay relevant details such as suspect description, clothing, vehicle type, or direction of travel to responding law enforcement. Ensure ATM field techs follow protocol, such as wearing gloves to avoid contaminating potential evidence.


This enables both the financial institution and law enforcement to confirm that an attempted tampering or attack is underway.


Where possible, institutions should be ready to remotely disable the ATM to prevent suspects from re-accessing the machine if they return.


Jackpotting is considered the #1 ATM-related crime in the U.S., with extremely high frequency. It’s not uncommon to receive one to three new incident reports per day. Disturbingly, investigators have identified over 400 individuals connected to these jackpotting crews, highlighting the scale and complexity of these operations.


A timeline of ATM jackpotting


Learn how to upgrade your FI.

Technology Driven Efficiency & Service — NuSource  




bottom of page