The U.S. Department of Justice (DoJ) this week announced the indictment of 54 individuals in connection with a multi-million dollar ATM jackpotting scheme.
The large-scale conspiracy involved deploying malware named Ploutus to hack into automated teller machines (ATMs) across the U.S. and force them to dispense cash. The indicted members are alleged to be part of Tren de Aragua (TdA, Spanish for “the train of Aragua”), a Venezuelan gang designated a foreign terrorist organization by the U.S. State Department.
In July 2025, the U.S. government announced sanctions against the group’s head, Hector Rusthenford Guerrero Flores (aka Niño Guerrero), and five other key members for their involvement in the “illicit drug trade, human smuggling and trafficking, extortion, sexual exploitation of women and children, and money laundering, among other criminal activities.”
The Justice Department said an indictment returned on December 9, 2025, has charged a group of 22 people for supposedly committing bank fraud, burglary, and money laundering. Prosecutors also alleged that TdA has leveraged jackpotting schemes to siphon millions of dollars in the U.S. and transfer the ill-gotten proceeds among its members and associates.
Another 32 individuals have been charged in a second, related indictment returned on October 21, 2025, accusing them of “one count of conspiracy to commit bank fraud, one count of conspiracy to commit bank burglary and computer fraud, 18 counts of bank fraud, 18 counts of bank burglary, and 18 counts of damage to computers.”
If convicted, the defendants could face a maximum penalty of anywhere between 20 and 335 years in prison.
“These defendants employed methodical surveillance and burglary techniques to install malware into ATM machines, and then steal and launder money from the machines, in part to fund terrorism and the other far-reaching criminal activities of TDA, a designated Foreign Terrorist Organization,” said Acting Assistant Attorney General Matthew R. Galeotti of the Justice Department’s Criminal Division.
The jackpotting operation is said to have relied on the TdA recruiting an unspecified number of individuals to deploy the malware across the nation. These individuals would then conduct initial reconnaissance to assess external security measures installed at various ATMs and then attempt to open the ATM’s hood to check if they triggered any alarm or a law enforcement response.
Following this step, the threat actors would install Ploutus by either replacing the hard drive with one that came preloaded with the malicious program or by connecting a removable thumb drive. The malware is equipped to issue unauthorized commands associated with the Cash Dispensing Module of the ATM in order to force currency withdrawals.
“The Ploutus malware was also designed to delete evidence of malware in an effort to conceal, create a false impression, mislead, or otherwise deceive employees of the banks and credit unions from learning about the deployment of the malware on the ATM,” the DoJ said. “Members of the conspiracy would then split the proceeds in predetermined portions.”
Ploutus was first detected in Mexico in 2013. In a 2014 report, Symantec detailed how Windows XP-based ATMs compromised by the malware could be exploited to allow cybercriminals to withdraw cash simply by sending an SMS command. A subsequent analysis from FireEye (now part of Google Mandiant) in 2017 detailed its ability to control Diebold ATMs and run on various Windows versions.
“Once deployed to an ATM, Ploutus-D makes it possible for a money mule to obtain thousands of dollars in minutes,” it explained at the time. “A money mule must have a master key to open the top portion of the ATM (or be able to pick it), a physical keyboard to connect to the machine, and an activation code (provided by the boss in charge of the operation) in order to dispense money from the ATM.”
According to the agency, a total of 1,529 jackpotting incidents have been recorded in the U.S. since 2021, with about $40.73 million lost to the international criminal network as of August 2025.
“Many millions of dollars were drained from ATM machines across the United States as a result of this conspiracy, and that money is alleged to have gone to Tren de Aragua leaders to fund their terrorist activities and purposes,” U.S. Attorney Lesley Woods said.
