ATM Jackpotting Hits $20M in 2025 While Nation-State Schemes Target US Companies

Page content

ATM Jackpotting Hits $20M in 2025 While Nation-State Schemes Target US Companies

I’ve been digging through this week’s security reports, and there’s a concerning pattern emerging that we need to talk about. While we’re all focused on the latest APT campaigns and zero-days, criminals are making serious money through some surprisingly old-school methods – and nation-states are getting creative with their infiltration tactics.

ATM Malware: The $20 Million Problem We’re Not Talking About

The FBI just dropped some eye-opening numbers about ATM jackpotting attacks that honestly caught me off guard. We’re talking about over $20 million stolen in 2025 alone, with 700 incidents last year out of 1,900 total since 2020. That’s a massive spike that suggests these attacks are becoming more organized and profitable.

For those who haven’t encountered jackpotting before, it’s essentially malware that forces ATMs to dispense cash like a broken slot machine. What makes this particularly interesting from a security perspective is that it requires physical access to the machine – attackers need to either open the ATM or connect devices directly to it. This isn’t your typical remote cyber attack.

The FBI’s warning mentions that since 2020, these incidents have collectively resulted in about $40.73 million in losses according to the Department of Justice. When you break down those numbers, we’re seeing a clear acceleration in both frequency and financial impact.

What worries me most is that this represents a gap in our collective security focus. While we’re hardening networks and hunting for advanced persistent threats, criminals are literally walking up to ATMs and making them spit out cash. It’s a reminder that physical security and legacy system protection can’t be afterthoughts.

North Korea’s Remote Work Infiltration Gets a Reality Check

Speaking of creative attack methods, the sentencing of Ukrainian national Oleksandr Didenko gives us a fascinating look into how North Korea’s IT worker scheme actually operates on the ground. Didenko got five years for stealing US citizen identities and selling them to North Korean IT workers trying to land remote jobs at American companies.

This case is particularly revealing because it shows the infrastructure behind these operations. We’re not just dealing with skilled North Korean developers somehow bypassing hiring processes – there’s an entire criminal ecosystem providing stolen identities, handling payments, and facilitating the fraud. Didenko’s role was essentially identity broker, connecting North Korean operatives with the documentation they needed to pass background checks and onboarding processes.

The implications for our hiring and contractor vetting processes are significant. When someone can purchase a complete stolen identity package, traditional verification methods become much less reliable. It makes me think we need to reconsider how we verify remote workers, especially for sensitive projects or companies with valuable intellectual property.

Roundcube Vulnerabilities: When Webmail Becomes a Gateway

CISA added two Roundcube vulnerabilities to their Known Exploited Vulnerabilities catalog this week, and the details should make anyone running webmail infrastructure nervous. CVE-2025-49113 scored a 9.9 CVSS, which is about as critical as vulnerabilities get. It’s a deserialization flaw that allows remote code execution – essentially giving attackers complete control over the server.

What’s particularly concerning is that CISA is seeing active exploitation in the wild. Roundcube is widely deployed, especially in smaller organizations and hosting environments that might not have the same patch management resources as enterprise environments. These systems often become forgotten infrastructure that keeps running until something breaks.

If you’re responsible for any Roundcube installations, this is your wake-up call to audit what you have running and get patches deployed immediately. Webmail servers are attractive targets because they’re internet-facing by design and often contain years of sensitive communications.

The Bigger Picture: Physical Meets Digital

Looking at these stories together, there’s an interesting theme about the convergence of physical and digital attack vectors. ATM jackpotting requires physical access but uses malware. The North Korean scheme uses digital identity theft to enable physical presence (even if remote) in American companies. Even the Roundcube vulnerabilities likely target physical servers that attackers want to compromise for further network access.

We’re seeing attackers adapt to whatever security measures we put in place. When network security gets harder, they go physical. When hiring processes get more rigorous, they buy better fake identities. When modern applications get more secure, they target legacy webmail systems.

The lesson here isn’t that any single security control is failing – it’s that we need to think about security as an interconnected system. Your network security is only as strong as your physical controls. Your hiring process is only as secure as your identity verification methods. Your modern infrastructure is only as protected as your oldest internet-facing service.

Sources