Two Venezuelan nationals convicted of conducting ATM “jackpotting” attacks using malware will be deported from the United States, according to the U.S. Department of Justice. The defendants physically compromised ATMs, installed specialized malware, and forced machines to dispense all available cash. The case highlights the continued use of long-standing ATM malware and the operational simplicity of jackpotting attacks when physical access is achieved.

ATM jackpotting is a hybrid cyber-physical crime that combines hands-on tampering with malicious software. While the technique peaked several years ago, recent prosecutions show it remains active and effective. U.S. authorities have increasingly linked these operations to organized crime groups operating across state and national borders.

According to court records, Luz Granados (34) and Johan Gonzalez-Jimenez (40) removed ATM casings, connected laptops directly to the machines, and installed malware that allowed them to command the ATMs to release all stored cash.

Granados was sentenced to time served and ordered to pay $126,340 in restitution. Gonzalez-Jimenez received an 18-month prison sentence and was ordered to pay $285,100. Both face deportation, with Granados awaiting removal and Gonzalez-Jimenez scheduled for deportation after completing his sentence.

The attacks relied on a well-known ATM malware family called Ploutus, which enables direct control of ATM dispensing mechanisms once installed. After gaining physical access, attackers bypass operating system protections and deploy the malware using a connected laptop.

Once active, the malware accepts commands that instruct the ATM to empty its cash cassettes. While technically unsophisticated by modern standards, the approach is highly effective against machines lacking updated physical and software defenses.

Beyond direct financial losses, jackpotting incidents undermine trust in ATM infrastructure and require costly repairs, forensic analysis, and system audits. The DOJ notes that Ploutus malware was used as recently as August 2025, despite its public history stretching back more than a decade.

The convictions follow a broader enforcement action announced in December, when U.S. authorities charged 54 individuals connected to a large-scale ATM jackpotting campaign linked to the Venezuelan crime syndicate Tren de Aragua.

These cases demonstrate that legacy malware remains viable when defensive controls lag behind. Physical access continues to be a critical weakness in financial infrastructure, especially for standalone or poorly monitored ATMs.

For financial institutions, the lesson is clear: cybersecurity does not end at the network perimeter. Physical hardening, real-time monitoring, and rapid incident response remain essential.

Federal prosecutors emphasize that jackpotting operations are often repeatable, scalable, and attractive to organized crime groups due to their relatively low technical barrier and high payout potential.

Security researchers note that while Ploutus is not new, its persistence underscores slow adoption of tamper detection and secure boot mechanisms across ATM fleets.