- Key insight: The conspiracy used “Ploutus” malware to force ATMs to dispense cash without debiting accounts, specifically targeting older Diebold Nixdorf terminals.
- What’s at stake: Prosecutors allege the criminal network successfully stole $5.4 million from community banks and credit unions across the Midwest.
- Forward look: Financial institutions are advised to replace standard ATM locks and implement full disk encryption to prevent future physical breaches.
Overview bullets generated by AI with editorial review
Processing Content
Federal prosecutors in Nebraska unsealed two indictments on Wednesday charging 54 individuals with orchestrating a sophisticated conspiracy that drained millions of dollars from financial institutions across the United States.
The accused, who prosecutors allege are members and associates of the Venezuelan transnational criminal organization Tren de Aragua, used the Ploutus malware to force ATMs to dispense cash without debiting customer accounts, a scheme known as jackpotting.
While the charges highlight a tangible cybersecurity threat to regional banks and credit unions, the prosecutions arrive alongside a broader, escalating campaign by the Trump administration against Venezuela—a campaign that intelligence sources indicate relies on distorted claims about the relationship between the Venezuelan government and criminal groups.
The anatomy of the attack
The scheme, which ran from January 2024 through August 2025, targeted dozens of community banks and credit unions, according to the indictments filed in the U.S. District Court for the District of Nebraska.
The accused employed a methodical process to compromise the machines.
First, scouts traveled to target locations to photograph security features and ensure the absence of silent alarms, often gluing sensors to cover them up and prevent detection.
Next, teams gained physical access to the ATMs’ internal computers by picking locks or forcing open the machines’ enclosures. They then installed the Ploutus malware, either by inserting a pre-loaded hard drive or connecting an external device such as a keyboard or a Raspberry Pi.
Once installed, the malware allowed the conspirators to issue unauthorized commands directly to the ATMs’ cash dispensing modules. To evade forensic analysis, the software included executable files designed to self-delete after the cash was dispensed, according to the charging documents.
“The Ploutus malware’s primary purpose was to issue unauthorized commands associated with the Cash Dispensing Module of the ATM in order to force withdrawals of currency,” prosecutors wrote in the indictment.
Actionable intelligence for banks
The indictments list a wide range of affected institutions, indicating that the group targeted specific ATM models—primarily older Diebold Nixdorf Opteva terminals—rather than specific banking brands.
Prosecutors listed 20 specific banks affected, mainly serving the Midwest. The affected banks include Iowa State Savings Bank; Oklahoma Heritage Bank; Cornhusker Bank; Columbus Bank & Trust in Columbus, Nebraska; Iowa Trust & Savings Bank; Farmers and Merchants Bank in Milford, Nebraska; Heartland Bank and Bank of the Sierra. Multiple credit unions were also targeted, including Mountain America, Heartland, Washington State Employees and Navy Federal, among others. (These banks and credit unions did not immediately respond to a request for comment.)
Security researchers advise that physical access is the weak point in these attacks.
“To detect and prevent this attack, the best starting point is to reinforce the device’s physical security,” according to a report from GuidePoint Security.
The firm recommends that banks replace standard top-hat locks with unique hardware, as many ATMs share identical keys, and implement full disk encryption to prevent the machine from booting unauthorized drives.
Politicized threat landscape
The crackdown on Tren de Aragua coincides with an aggressive foreign policy shift by the Trump administration, which has designated the gang as a Foreign Terrorist Organization.
President Trump has claimed that Venezuelan President Nicolás Maduro directs the gang to carry out an “invasion” of the United States, citing this as justification for wartime deportation measures.
However, intelligence assessments contradict the White House’s narrative regarding state sponsorship.
“The Intelligence Community judges that intelligence indicating that regime leaders are directing or enabling TDA migration to the United States is not credible,” according to a leaked assessment from the National Intelligence Council.
Analysts note that the Maduro regime views Tren de Aragua as a security threat and has engaged in armed conflict with the group, including a 2023 raid on the Tocorón prison that served as the gang’s headquarters.
Furthermore, the administration has labeled the “Cartel de los Soles” as a terrorist organization led by Maduro, despite the term being a longstanding Venezuelan slang for corrupt military officials rather than a structured cartel.
This politicization complicates the risk assessment for financial institutions. While Ploutus malware has posed a documented threat since its discovery in Mexico in 2013 and has evolved to target U.S. infrastructure since 2018, the administration’s conflation of criminal gangs with state actors muddies the distinction between financial crime and geopolitical conflict.
Despite the political rhetoric, the threat to physical infrastructure remains potent. The recent indictments allege the group stole at least $5.4 million and attempted to steal an additional $1.4 million during the 19-month conspiracy.
“The Criminal Division will not tolerate networks of thieves who breach the security of our financial system,” said acting assistant attorney general Matthew R. Galeotti, according to a Thursday press release.
If convicted, the 54 accused individuals face maximum prison terms ranging from 20 to 335 years.
