Arrest of ATM Hackers Transforms Landscape in the US

The U.S. Department of Justice formally charges 87 individuals involved in a major **ATM jackpotting** operation, a technique that uses **malware** to force ATMs to dispense money. The investigation began six months ago in response to significant financial crimes with implications linked to support for terrorist groups, specifically the **Tren de Aragua** (TdA).

The scheme represents one of the most comprehensive investigations in terms of cybercrime and terrorism, consolidating intense collaboration among various agencies, coordinated by the **Joint Task Force Vulcan** and the **Homeland Security Task Force**. This operation reflects a broader effort to combat financial crimes that fund terrorist activities.

Operation of the Scheme

Those involved in the conspiracy developed a variant of the **Ploutus** malware specifically designed to attack ATMs. The group organized itself into a network with a strategy of targeting different locations simultaneously across various parts of the country.

The process began with a reconnaissance phase, where criminals assessed the security features of the equipment, including alarm systems and police monitoring. After configuring their strategy, they performed non-intrusive tests to gauge the response of authorities.

Malware Installation Methods

The installation of **malware** occurred through three main techniques. The first involved the physical removal of the hard disk for direct software installation. The second, faster method, involved swapping the disk with one that was already compromised. The third used external devices that, when connected, implanted the malware instantly.

Features of Ploutus

The **Ploutus** malware is a sophisticated tool, primarily designed to issue fraudulent commands to the cash dispensing module of ATMs. By activating it, criminals could cause the machine to release all available cash.

Additionally, the software minimized its digital traces by self-destructing, making it difficult for bank security agents to detect.

Profit Distribution and Money Laundering

After attacks, the profits were divided according to an organized structure, indicating a clear hierarchy among crime members. A significant portion of the gains was allocated to the TdA, supporting their criminal and terrorist activities.

Authorities highlighted the complexity of how the money was laundered, with internal transfers to disguise the illicit origin and generate significant profit for the organization.

Wave of Charges

The grand federal jury for the District of Nebraska presented the charges in three distinct waves. The first occurred on October 21, 2025, accusing 32 individuals of various offenses, including bank fraud.

The second wave, on December 9, 2025, brought more severe charges, such as conspiracy to provide support to terrorists. The final stage included another 31 defendants and broadened the accusations to other cybercrimes.

About the Tren de Aragua

The **TdA** started as a gang in the Venezuelan prison system but quickly evolved into an international criminal organization with several illegal operations, including drug and arms trafficking. Its expansion illustrates how financial crimes can be interconnected with networks of terrorism.

Protection of Customer Accounts

Despite the gravity of the crimes, customer accounts remained intact. The stolen money belonged to banks and cooperatives, not affecting personal information or balances. This protection ensured financial security for individuals while investigations were ongoing.

Defendants, if convicted, could face sentences ranging from 20 to 335 years, reflecting the seriousness of the accusations, particularly those related to terrorist groups. This situation highlights the increasing need for vigilance and security in financial systems against cyber threats.

Ongoing Similar Cases

The situation is not isolated. Recently reported by TecMundo, two individuals were convicted of similar crimes, reinforcing the need for ongoing efforts to combat these illicit practices and vigilant monitoring by authorities.