ATM jackpotting — a form of cyber-enabled theft in which criminals manipulate ATMs to dispense cash illicitly — has historically been more prevalent internationally. Over the last decade, however, the tactic has steadily gained a foothold in the United States, with community banks across the Mountain West now finding themselves in the crosshairs. Jackpotting has emerged as a sophisticated threat in our region, blending physical crime with the deployment of advanced malware.

This surge is part of a broader escalation: The U.S. Secret Service noted that losses from jackpotting attacks reached approximately $6 million in 2023 across some 200 incidents, and by early 2024, similar losses had already occurred from over 300 attacks. The OCC echoed these warnings in spring 2025, urging banks to shore up both cyber and physical defenses amid increasing ATM “cash-out” risks.

How Jackpotting Works

In its simplest form, jackpotting involves two components: access and control. Criminals gain physical access to an ATM — often during off-hours — by disguising themselves as technicians. Once the cabinet is opened, attackers install specialized hardware or upload malware through a USB or network port. With control of the system, they can command the ATM to dispense large volumes of cash on demand, sometimes emptying a machine in minutes.

The Mountain West is especially vulnerable for two reasons. First, many rural banks still operate older ATM models, which are more susceptible to known jackpotting exploits. Second, the vast geographic spread of service areas can delay detection and response, allowing criminals more time to operate undetected.

Trends Emerging in the Region

1. Shift From Large Cities to Middle Markets in Rural Areas
   While early jackpotting reports in the U.S. centered on large urban areas, more recent activity is concentrated in mid-sized cities and smaller rural markets. Law enforcement officials suggest that organized crime groups are deliberately targeting banks with fewer resources for ATM monitoring and security.
   
   
2. Cross-Border Coordination
   Authorities warn that many jackpotting incidents in the Mountain West are linked to organized groups operating across state — and sometimes national — borders. I-25 and I-80 provide quick exit routes, and some investigations have tied attacks in Wyoming and Colorado to crews operating out of southern California or even Mexico. In April, two Venezuelan nationals were indicted by the DOJ for conspiracy to defraud over 30 ATMs across several western states — including Colorado, Utah, and California. One attack alone netted nearly $94,800 from a Merced County credit union.
   
   
3. Increase in “Black Box” Attacks
   A notable regional trend on the rise is “black box” jackpotting. Instead of uploading malware directly into an ATM’s operating system, attackers bypass the machine’s software entirely by connecting an external device to the cash dispenser unit. This is more difficult for banks to detect, as it leaves minimal digital traces.
   
   
4. Combination With Other Financial Crimes
   Jackpotting is increasingly being combined with skimming and account-takeover schemes. In a recent case in Arizona’s northern corridor, criminals compromised ATMs to harvest card data while simultaneously deploying malware to empty machines. The convergence of digital and physical crime complicates investigations and heightens losses.

Impact on Community Banks

For community banks in the region, jackpotting presents both financial and reputational risks. Losses from a single event can reach hundreds of thousands of dollars, and the perception of insecurity can undermine customer confidence. Smaller institutions also face disproportionate challenges: Unlike national banks, they may not have in-house cybersecurity teams or the capital to replace vulnerable ATM hardware immediately.

Banks in the region are taking steps to adapt. Recommended countermeasures include:

• Update Regularly: Ensure that the ATM’s operating system, firmware, software and configurations are up to date.
• Upgrade Machines: As necessary, upgrade ATM fleets to newer models with encrypted communications and hardened ports.
• Delay Physical Access: Use anti-jackpotting kits, alarms and barriers to delay attackers.
• Monitor Remotely: Improve remote monitoring to detect unusual cash-out patterns in real time.
• Upgrade Technology: Ensure ATMs are TLS-encrypted and have TR31 PCI-compliant keypads.
• Monitor Anomalous Activity: Implement real-time surveillance, including AI-assisted alerts and transaction anomaly detection.
• Educate Staff: Train personnel to identify impersonators and unauthorized technicians.
• Limit Physical Access: Generic manufacturer keys can lead to stealing, copying or purchasing keys to access multiple ATMs.
• Implement Access Controls: ATM service technician access should require multi-factor authentication where possible.

If you suspect that an ATM is compromised using these jackpotting techniques, take the following steps immediately:

• Before opening the ATM, wear gloves to avoid contaminating any potential DNA evidence and prints.
• Before removing any unauthorized devices from the ATM, photograph all components, the hard drive and any attached devices.
• Report suspicious activity to the U.S. Secret Service field office in Denver by calling (303) 850-2700.