This week, the U.S. Department of Justice (DOJ) announced the indictment of 32 individuals said to be operating an international smart ATM jackpotting operation. They utilized the Ploutus malware to remotely target and exploit automated teller machines (ATMs) nationwide. On October 21, 2025, prosecutors announced this indictment. It shines a light on the large-scale activities that are attributed to Tren de Aragua (TdA), a Venezuelan gang that has been designated as a foreign terrorist organization by the U.S. State Department.
This hacking conspiracy has set off 1,529 incidents of ATM jackpotting since 2021. These attacks so far have incurred losses totaling $40.73 million. The DOJ’s investigation highlights the dire consequences of such illicit actions, especially their links to funding terrorism.
The Role of Ploutus Malware
Ploutus malware is a key part of this criminal conspiracy. This new exploit lets hackers remotely access ATMs and compel them to dispense cash illegally. Once the malware spreads to the ATM, it provides criminals with immediate access to cash. These money mules are then able to cash out thousands of dollars quickly within a few weeks.
“Once deployed to an ATM, Ploutus-D makes it possible for a money mule to obtain thousands of dollars in minutes,” – FireEye
The malware’s design includes features that delete evidence of its presence, aiming to mislead bank employees and conceal the operation’s activities. This technical sophistication highlights the changing landscape of cybercriminality. The old-fashioned pass-the-parcel theft methods are giving way to complex cyber-fleecing schemes.
“The Ploutus malware was also designed to delete evidence of malware in an effort to conceal, create a false impression, mislead, or otherwise deceive employees of the banks and credit unions from learning about the deployment of the malware on the ATM,” – The DoJ
Connection to Tren de Aragua
Tren de Aragua has since grown into a powerful transnational criminal enterprise. U.S. authorities have linked the group to various criminal activities including drug trafficking and arms smuggling. Niño Guerrero was sanctioned by the U.S. government in July 2025 due to his leadership of the gang. Five other prominent members were similarly disciplined for their roles in the expansive conspiracy.
The gang’s operations go further than just hacking ATMs though, as they’ve allegedly been recruiting hackers to deploy Ploutus malware across the country. The DOJ’s indictment reflects a broader effort to dismantle TdA’s criminal network and prevent further terrorist financing.
“Many millions of dollars were drained from ATM machines across the United States as a result of this conspiracy, and that money is alleged to have gone to Tren de Aragua leaders to fund their terrorist activities and purposes,” – U.S. Attorney Lesley Woods
Potential Penalties and Future Implications
Those defendants named in this indictment may be subject to significant punishment upon conviction. They may face sentences between 20 and 335 years of incarceration. These charges are very serious. They are a sign of the U.S. government’s willingness to take action to combat cybercrime and protect financial institutions from these threats.
In announcing the indictments, Acting Assistant Attorney General Matthew R. Galeotti emphasized the defendants’ organized operation. He illustrated the chilling ways that they used surveillance and burglary tactics to execute their plots. These people show a deeply concerning trend in cybercrime with their collegiate and organized fashion. They create new spaces where the government can fabricate crime and injustices disappear from sight.
“These defendants employed methodical surveillance and burglary techniques to install malware into ATM machines, and then steal and launder money from the machines, in part to fund terrorism and the other far-reaching criminal activities of TDA, a designated Foreign Terrorist Organization,” – Acting Assistant Attorney General Matthew R. Galeotti