DOJ charges gang for ATM hacks using Ploutus malware

Dozens of people have been indicted by the Justice Department for a streak of ATM thefts involving the Ploutus malware. 

The DOJ announced on Thursday two federal grand jury indictments charging 54 people for their alleged roles in a campaign to develop and deploy a variant of the Ploutus malware, allowing them to pilfer hundreds of thousands of dollars from ATMs across the U.S. 

In one indictment unsealed earlier this month, prosecutors said between February 2024 and December 2025, a group of 22 people committed or attempted to commit at least 63 ATM jackpottings, including 54 against machines at credit unions. The other indictment, filed in October and unsealed this week, charged another 32 people with crimes related to the ATM scheme. 

The agency claimed members of the conspiracy are part of Tren de Aragua — a Venezuelan gang recently designated a foreign terrorist organization by the State Department. 

The unsealing of the indictments coincides with a ratcheting up of pressure against the Venezuelan government by the Trump administration, which has claimed that the country’s leaders have ties to Tren de Aragua. A leaked intelligence memo from U.S. agencies in April disputed any links between the gang and the Venezuelan government.  

At least one of the men mentioned in the indictment, Jimena Romina Araya Navarro, is confirmed to be Venezuelan but the nationalities of the other defendants are unclear.

The Justice Department said at least $5.4 million was stolen by the group of 22 defendants, who tried but failed to steal another $1.4 million. Several of the financial institutions attacked lost more than $100,000, with at least one credit union in Kearney, Nebraska, suffering a loss of about $300,000. 

They said members of the gang worked in groups to identify ATMs at banks or credit unions before using the malware to dispense cash. 

“Following this reconnaissance, the groups would open the hood or door of ATMs and then wait nearby to see whether they had triggered an alarm or a law enforcement response,” prosecutors said. 

“The groups would then take steps to install malware on the ATMs, by removing the hard drive and installing the malware directly, by replacing the hard drive with one that had been pre-loaded with the Ploutus malware, or by connecting an external device such as a thumb drive that would deploy the malware.”

Prosecutors said members of the group would need to “gain physical access to the ATM, remove the data storage device (referred to as a hard drive, or solid-state drive) from the ATM, install malicious code onto the data storage device, and then reinsert the data storage device into the ATM.” 

The malware could bypass the ATM’s security systems and a “dispense” command would be sent to the ATM, allowing money to come out. Some members of the scheme would watch ATMs and check if they had silent hood alarms. 

The indictment lists several incidents, including one in March 2025 where members of the gang stole $79,200 from an ATM in Omaha, Nebraska.

Experts and government agencies have warned for nearly a decade about variants of the Ploutus malware, which Google researchers previously said “is one of the most advanced ATM malware families” they’ve seen. 

The Ploutus ATM malware was first detected by Symantec in 2013 and has gone through several updates since then. 

It was initially deployed against ATMs across Mexico in 2013, allowing criminals to empty machines by either attaching an external keyboard attached to the ATM or by sending an SMS message, a technique that had never been seen before, according to Google. 

Ploutus has been used to target a variety of ATM vendors, including Diebold Nixdorf, Kalignite Platform and others. Diebold Nixdorf issued multiple alerts in 2017 and 2018 about variants of the malware being used to steal money from ATMs across Mexico and the U.S. 

Thieves need a master key to open the top portion of the ATM or need to be able to pick the lock in order to attach a physical keyboard or device to the machine. The malware used is also capable of deleting evidence of the attack.

Mayuresh Dani, a cybersecurity expert at Qualys Threat Research Unit, said Ploutus has been developing continually through multiple variants released over the past 12 years — each adding sophisticated capabilities. 

“The malware has been incrementally improved based on intentional reverse-engineering of ATM security models and now is compatible across various ATM platforms and Windows operating systems,” Dani said. 

United States Attorney Lesley Woods claimed the money stolen from the ATMs was split among those who conducted the physical attacks and senior leaders of the gang. 

On Monday, Venezuela blamed the U.S. for a cyberattack on its state oil company that has stymied operations for days.