The US Department of Justice has announced charges against dozens of individuals over their alleged roles in a massive ATM jackpotting campaign that involved the deployment of the notorious Ploutus malware family.
According to authorities, the suspects are leaders and members of the Venezuelan crime syndicate Tren de Aragua, described as a terrorist organization responsible for murder, assault, drug and firearms trafficking, kidnapping, robbery, theft, fraud, and extortion.
A DoJ press release highlights the activities of Jimena Romina Araya Navarro, an alleged leader of Tren de Aragua who has been sanctioned by the Treasury Department.
As part of the crackdown on the crime group’s ATM jackpotting operations, the US has charged 54 individuals, including ones who installed malware on cash machines, stole money, and laundered the crime proceeds. They face between 20 and 335 years in prison for bank fraud, burglary, computer fraud, and hacking charges.
Investigators determined that the members of the crime ring deployed the Ploutus malware on targeted ATMs to steal millions of dollars. The malware enables its operator to bypass ATM security systems and force machines to dispense cash on command.
“Following […] reconnaissance, the groups would open the hood or door of ATMs and then wait nearby to see whether they had triggered an alarm or a law enforcement response. The groups would then take steps to install malware on the ATMs, by removing the hard drive and installing the malware directly, by replacing the hard drive with one that had been pre-loaded with the Ploutus malware, or by connecting an external device such as a thumb drive that would deploy the malware,” the DoJ said.
The Ploutus malware has been around for more than a decade. While it hasn’t been in the news much since its peak in 2017 and 2018, it likely hasn’t disappeared from the threat landscape.
The cybersecurity community issued a warning about attacks targeting Latin America in 2021, and the next year ATM maker Diebold Nixdorf alerted customers of Ploutus malware attacks in the United States.
The DoJ does not specify when the malware attacks occurred, but a map showing the location of jackpotting incidents in the US as of August 2025 suggests that attacks were discovered recently.
Last month, police in Fairfax County, Virginia, said they had been looking for a group of suspects who were believed to have installed malware on an ATM to withdraw $175,000. There does not appear to be any information on the malware used in that attack or the perpetrators.
Related: Ukrainian Nefilim Ransomware Affiliate Pleads Guilty in US
Related: Thailand Conference Launches International Initiative to Fight Online Scams
