CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

US Charges 87 in ATM Jackpotting Conspiracy Linked to Venezuelan Crime Syndicate

First reported
Last updated
3 unique sources, 6 articles

Summary

Hide ▲

The US has charged 87 individuals in a conspiracy involving ATM jackpotting fraud, linked to the Venezuelan crime syndicate Tren de Aragua. The defendants allegedly used Ploutus malware to hack ATMs, causing $40.73 million in losses by August 2025. The conspiracy involved surveillance, malware deployment, and money laundering to fund further criminal activities. In July 2025, the U.S. government sanctioned key members of Tren de Aragua, including Hector Rusthenford Guerrero Flores, for their involvement in various criminal activities. Two Venezuelan nationals, Luz Granados and Johan Gonzalez-Jimenez, were convicted of stealing hundreds of thousands of dollars from U.S. banks using ATM jackpotting and will be deported after serving their sentences. The FBI reported 1,900 ATM jackpotting incidents since 2020, with 700 occurring in 2025, and losses of more than $20 million in 2025 due to these incidents.

Timeline

  1. 20.02.2026 12:08 1 articles · 12h ago

    FBI Warns of $20 Million in ATM Jackpotting Losses in 2025

    The FBI warned that Americans lost more than $20 million last year amid a massive surge in ATM "jackpotting" attacks, in which criminals use malware to force cash machines to dispense money. According to a Thursday FBI flash alert, more than 700 ATM jackpotting incidents were reported last year alone in a significant spike compared to the roughly 1,900 total incidents reported across the United States since 2020. These attacks can be carried out in minutes and target the software layer controlling an ATM's physical hardware, using malicious tools such as the Ploutus malware. Most often, they go undetected by financial institutions and ATM operators until the cash is already gone.

    Show sources
    Open in new tab
  2. 20.02.2026 10:05 2 articles · 14h ago

    FBI Reports 1,900 ATM Jackpotting Incidents Since 2020

    The FBI reported 1,900 ATM jackpotting incidents since 2020, with 700 occurring in 2025. Losses in 2025 exceeded $20 million. Cybercriminals exploit physical and software vulnerabilities to deploy malware, often using generic keys to access ATMs. Ploutus malware exploits the eXtensions for Financial Services (XFS) layer to bypass bank authorization. The FBI recommends tightening physical security, auditing devices, changing default credentials, configuring automatic shutdown modes, enforcing device allowlisting, and maintaining logs to mitigate risks.

    Show sources
    Open in new tab
  3. 27.01.2026 18:27 1 articles · 24d ago

    Tren de Aragua Designated as Foreign Terrorist Organization

    The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) designated the Tren de Aragua (TdA) gang as a Foreign Terrorist Organization in December. The gang, which grew from a prison gang to a transnational criminal organization, has been involved in sophisticated malware attacks on ATMs across the United States.

    Show sources
    Open in new tab
  4. 23.01.2026 18:38 1 articles · 28d ago

    Conviction and Deportation of Venezuelan Nationals

    Luz Granados and Johan Gonzalez-Jimenez, two Venezuelan nationals, were convicted of stealing hundreds of thousands of dollars from U.S. banks using ATM jackpotting. They were sentenced to 18 months in federal prison and ordered to pay restitution before deportation. The defendants connected laptops to ATMs and installed malware to bypass security protocols, forcing the machines to dispense all available cash. The stolen funds came directly from the banks rather than individual customer accounts, affecting institutions in South Carolina, Georgia, North Carolina, and Virginia.

    Show sources
    Open in new tab
  5. 19.12.2025 13:20 6 articles · 2mo ago

    US Charges 54 in ATM Jackpotting Conspiracy

    The FBI reported 1,900 ATM jackpotting incidents since 2020, with 700 occurring in 2025. Losses in 2025 exceeded $20 million. Cybercriminals exploit physical and software vulnerabilities to deploy malware, often using generic keys to access ATMs. Ploutus malware exploits the eXtensions for Financial Services (XFS) layer to bypass bank authorization. The FBI recommends tightening physical security, auditing devices, changing default credentials, configuring automatic shutdown modes, enforcing device allowlisting, and maintaining logs to mitigate risks.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Crazy Ransomware Gang Abuses Employee Monitoring and Remote Support Tools

The Crazy ransomware gang has been observed abusing legitimate employee monitoring software (Net Monitor for Employees Professional) and the SimpleHelp remote support tool to maintain persistence in corporate networks, evade detection, and prepare for ransomware deployment. The attackers used these tools to gain full interactive access to compromised systems, transfer files, execute commands, and monitor system activity in real time. They also attempted to disable Windows Defender and set up monitoring rules to detect cryptocurrency-related activities and remote access tools. The use of multiple remote access tools provided redundancy for the attackers, ensuring they retained access even if one tool was discovered or removed. The breaches were enabled through compromised SSL VPN credentials, highlighting the need for organizations to enforce MFA on all remote access services.

Open in new tab

US Seizes E-Note Crypto Exchange for Ransomware Laundering

The U.S. Department of Justice, led by the FBI and collaborating with international partners, has seized the E-Note cryptocurrency exchange for allegedly laundering over $70 million in ransomware and account takeover proceeds. The operation involved confiscating domains, servers, and customer databases, with an indictment unsealed against the Russian national Mykhalio Petrovich Chudnovets, believed to be the operator of E-Note. Chudnovets targeted US healthcare and critical infrastructure sectors through his money laundering services, which he began offering in 2010. This action may lead to further identification of cybercriminals involved in the laundering scheme.

Open in new tab

European Authorities Dismantle Ukraine-Based Call Center Fraud Ring

European law enforcement dismantled a fraud network operating call centers in Ukraine that scammed victims across Europe out of over 10 million euros. The operation involved arrests, seizures, and the disruption of multiple call centers employing approximately 100 people. The criminals used various schemes, including impersonating bank employees and police officers, to defraud over 400 known victims. The network operated as a commission-based criminal enterprise, promising bonuses for successful scams. Authorities from the Czech Republic, Latvia, Lithuania, and Ukraine, supported by Eurojust, arrested 12 suspects out of 45 identified. The operation included 72 searches across three Ukrainian cities, leading to the seizure of vehicles, weapons, a polygraph machine, computers, cash, and counterfeit identification documents. The fraud ring used remote access software to steal banking logins and directed victims to transfer funds to 'safe' accounts under their control. Members of the network had different roles, including making scam phone calls, forging official documents, and collecting cash from victims.

Open in new tab

Storm-0249 Adopts Advanced Tactics for Ransomware Attacks

Storm-0249, previously known as an initial access broker, has escalated its operations by employing advanced tactics such as domain spoofing, DLL sideloading, and fileless PowerShell execution to facilitate ransomware attacks. These methods allow the threat actor to bypass defenses, infiltrate networks, maintain persistence, and operate undetected. The group has shifted from mass phishing campaigns to more precise attacks, leveraging the trust associated with signed processes for added stealth. The ultimate goal is to obtain persistent access to enterprise networks and monetize them by selling access to ransomware gangs.

Open in new tab

FBI Warns of $262M Stolen in Account Takeover Fraud Schemes

Since January 2025, cybercriminals impersonating bank support teams have stolen over $262 million through account takeover (ATO) fraud schemes. The FBI's Internet Crime Complaint Center (IC3) has received over 5,100 complaints, affecting individuals and businesses across various sectors. Criminals gain unauthorized access to online financial accounts using social engineering techniques or fraudulent websites. Once in control, they wire funds to crypto wallets and often change account passwords, making recovery difficult. The FBI advises monitoring financial accounts, using strong passwords, enabling MFA, and avoiding search results for banking websites. Victims are urged to contact their financial institutions immediately and file complaints with the IC3. Recent reports highlight the growing use of AI-powered phishing campaigns, SEO poisoning, and exploitation of e-commerce vulnerabilities, particularly ahead of the holiday season. Additionally, purchase scams and mobile phishing (mishing) sites have seen a significant increase, leveraging trusted brand names to deceive users. The U.S. Justice Department (DoJ) has seized the fraud domain web3adspanels[.]org, which was used to host and manipulate illegally harvested bank login credentials. The scheme targeted 19 victims across the U.S., including two companies in the Northern District of Georgia, with attempted losses of approximately $28 million and actual losses of approximately $14.6 million. The confiscated domain stored the stolen login credentials of thousands of victims and hosted a backend server to facilitate takeover fraud as recently as November 2025. The FBI and Estonian law enforcement collaborated in this seizure, and the domain now displays a law enforcement banner indicating it is under the control of authorities. No arrests have been made yet, but the investigation may reveal clues leading to the operators.

Open in new tab