The US Department of Justice (DoJ) this week announced the indictment of 54 individuals in connection with a multi-million dollar ATM jackpotting scheme.
The large-scale plot involved deploying malware called Plutus to hack automated teller machines (ATMs) across the US and force them to withdraw cash. The charged members are alleged to be part of the Tren de Aragua (TDA, Spanish for “Train of Aragua”), a Venezuelan gang that has been designated a Foreign Terrorist Organization by the U.S. State Department.
In July 2025, the US government announced sanctions against the group’s head, Hector Rustenford Guerrero Flores (aka Nino Guerrero), and five other key members for their involvement in “illicit drug trade, human trafficking and other criminal activities, including trafficking, extortion, sexual exploitation of women and children, and money laundering.”
The Justice Department said an indictment returned Dec. 9, 2025, allegedly charges a group of 22 people with bank fraud, burglary and money laundering. Prosecutors also alleged that TDA took advantage of jackpotting schemes to launder millions of dollars from the US and transfer illicit earnings among its members and associates.
Another 32 individuals are charged in a second related indictment returned on October 21, 2025, charging them with “one count of conspiracy to commit bank fraud, one count of conspiracy to commit bank burglary and computer fraud, 18 counts of bank fraud, 18 counts of bank burglary, and 18 counts of computer damage.”
If convicted, the defendants face a maximum sentence of 20 to 335 years in prison.
“These defendants used systematic surveillance and burglary techniques to install malware in ATM machines, and then stole and laundered money from the machines to finance terrorism and other far-reaching criminal activities of TDA, a designated foreign terrorist organization,” said Acting Assistant Attorney General Matthew R. Galeotti of the Justice Department’s Criminal Division.
The jackpotting operation is said to have relied on the recruitment of an unspecified number of individuals by TdA to deploy the malware across the country. These individuals would then conduct initial checks to assess the external security measures installed on various ATMs and then attempt to open the hood of the ATM to check if they triggered any alarm or law enforcement response.
After this step, threat actors will install Plutus either by replacing the hard drive with a hard drive pre-loaded with malicious programs or by connecting a removable thumb drive. The malware is equipped to issue unauthorized commands linked to the cash dispensing module of the ATM to force currency withdrawals.
“The Plutus malware was also designed to remove evidence of the malware in an effort to conceal, mislead, mislead, or otherwise deceive employees of banks and credit unions from knowing about the deployment of the malware on ATMs,” the DOJ said. “The members of the conspiracy would then divide the proceeds into predetermined portions.”
Plutus was first discovered in Mexico in 2013. In a 2014 report, Symantec detailed how a weakness in Windows XP-based ATMs could be exploited to allow cybercriminals to withdraw cash by sending an SMS to the compromised ATM. A later analysis in 2017 by FireEye (now part of Google Mandiant) detailed its ability to control Diebold ATMs and run on different Windows versions.
“Once deployed in an ATM, Plutus-D makes it possible for a money mule to obtain thousands of dollars in minutes,” it was explained at the time. “To withdraw money from an ATM a money mule must have a master key to open the top part of the ATM (or be able to pick it), a physical keyboard to connect to the machine, and an activation code (provided by the boss in charge of the operation).”
According to the agency, a total of 1,529 jackpotting incidents have been recorded in the US since 2021, causing a loss of approximately $40.73 million to international criminal networks by August 2025.
U.S. Attorney Leslie Woods said, “This conspiracy resulted in millions of dollars being withdrawn from ATM machines across the United States and it is alleged that that money was delivered to Tren de Aragua leaders to finance their terrorist activities and objectives.”
