ATM Jackpotting Malware Has Already Spread Globally

Last updated June 23, 2021
Written by:
Bill Toulas
Bill Toulas
Infosec Writer

According to a piece by Motherboard, ATM Jackpotting malware has now spread all over the world, threatening to begin ejecting banknotes out of hundreds of thousands of machines. The discovery was the result of a joint investigation between the Motherboard and the German broadcaster Bayerischer Rundfunk (BR), while the situation is now in the hands of the authorities. According to the report, there have been at least 82 jackpotting attacks in Germany over the last couple of years, while similar incidents have been reported in the United States, Southeast Asia, and Latin America.

ATM jackpotting malware needs to be injected into the ATM memory, so the machine has to be opened, and the attackers need to connect their media to the ATM through the USB port. After the infection, the attacker may order the malware to initiate a “jackpot”, which results in the spewing of banknotes until all cash is out or the target cash-dispensing module is emptied. As we saw recently, these type of attacks is on the rise, although it remains a very niche field. That is especially the case since “Cutlet Maker” entered the market of custom malware creation in 2016.

Motherboard reports that most of the ATM jackpotting malware that is to be found around the globe right now has been created with the Cutlet Maker “do-it-yourself” kit. As for whether the infections are taking place right on the ATM location or as part of a production chain compromise, some correlation has been made with the Santander bank, the Wincor 2000xe ATM, and the Diebold Nixdorf manufacturer. For those of you who have been following the news here, we had presented a warning from Diebold Nixdorf back in June, involving a vulnerability that plagued older ATM models (Opteva-based ATMs).

Of course, Santander hasn’t made a clarifying statement other than one to assure of their impeccable checking and securing processes. No one can accuse them of being irresponsible, and at the end of the day, jackpotting attacks are after their money, not their customer data. However, they have suffered at least 36 attacks since last year, so there’s definitely something going on with their systems.

Right now, the Cutlet Maker malware creator is sold in the dark web for $1000, but it is not the only kit that does the job. As we reported in February, there’s another malware called “WinPot”, and which can be loaded onto ATMs via USB ports again. It is sold between $500 and $1000, and modifications of it have already been spotted in the wild. All that said, right now, numerous jackpotting attacks are going on around the world, but most of them aren’t getting publicized.

Have something to comment on the above? Feel free to do just that in the section down below, or on our socials, on Facebook and Twitter.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: