Malware analysis

Jackpotting malware

Daniel Dimov
March 5, 2020 by
Daniel Dimov


Jackpotting malware is not well known because it exclusively targets automated teller machines (ATMs). This means it usually doesn’t directly affect a large number of people. However, this type of malware may seriously harm the reputation and the financial stability of the banks owning the hacked ATMs. 

For example, between February and November 2017, at least 10 jackpotting attacks were conducted in the German state of North Rhine-Westphalia. As a result of those attacks, hackers stole 1.4 million EUR (about $1.5 million).

Before proceeding with the examination of jackpotting malware, we need to clarify the term “jackpotting malware.” In simple words, it means malware which allows fraudsters to force ATMs to dispense cash without reflecting the withdrawal transactions in any bank accounts.

In this article, we will examine two of the most widely known types of jackpotting malware, Ploutus and Cutlet Maker. We will also look at the operation of jackpotting malware and provide recommendations on how banks can protect against it. 

Ploutus and Cutlet Maker

Ploutus was first discovered in Mexico in 2013. The first version of Ploutus had to be installed on an ATM machine by inserting a CD in the ATM’s CD-ROM. The 2014 version, called Backdoor.Ploutus.B, relied on distribution through a mobile phone. Such a distribution is also known as USB tethering. 

In 2016, the creators of Ploutus released a new version called Ploutus-D. Ploutus-D can be installed by gaining physical access to the top portion of the respective ATM. Ploutus-D exists in various modifications that allow it to run on machines of 41 different ATM vendors in 80 countries. A representative of the security firm FireEye called Ploutus-D “one of the most advanced ATM malware families we’ve seen in the last few years.”

Cutlet Maker was originally sold on the internet, but later became freely available. It infects ATMs through a USB memory stick. The stick and an external keyboard need to be attached to an ATM for it to be infected. 

The malware is not complex. A specific characteristic of Cutlet Maker is that, after being installed on an ATM, the following message will appear on the display of the hacked machine: “Ho-ho-ho! Let's make some cutlets today!” The message includes a cartoon image of a chef and a piece of meat.

The operation of jackpotting malware

The first step towards the successful operation of jackpotting malware is gaining physical access to the targeted ATM. To do so, fraudsters often dress like ATM technicians in order to avoid attracting attention. In some cases, criminals also use an endoscope, an instrument that allows physicians to look inside the human body, to find computer ports within the targeted ATM.

The second step is the activation of the jackpotting malware. This is usually done by using the keyboard of the hacked ATM machine or by sending SMS commands to it. The latter method is much more convenient because it works almost instantly and provides criminals with the opportunity to perform their malicious operations without the need to expose themselves publicly.

The third step relates to taking the stolen money from the hacked ATM. This is usually done by money mules, individuals who perform high-risk operations upon the instructions of criminals. Many money mules may be young individuals who are usually not well aware of the consequences of their actions. For example, a report of the UK police indicates that 36% of the money mules participating in money laundering were individuals under the age of 21.

Money mules can be divided into three categories, unknowing mules, witting mules and complicit mules. Unknowing mules do not know at all that they are engaged in criminal activities. Witting mules have noticed signs (e.g., warning messages from banks) indicating that they are engaged in criminal activities but have nevertheless decided to proceed further. Complicit mules are well aware of their participation in criminal schemes.

Protection against jackpotting malware

Banks willing to protect their ATM machines against jackpotting malware need to take at least the following measures:

  1. Installing and maintaining up-to-date anti-malware software
  2. Locking down ATM systems in order to prevent the uploading of unauthorized programs
  3. Disabling auto-run and boot features
  4. Making sure that the ATM machines do not include default passwords. Default passwords can be found in instruction manuals that are usually publicly available
  5. Enhancing the physical security of ATM machines by, for example, installing security cameras next to ATM machines and hiring security officers to monitor those cameras


The number of cyberattacks relying on jackpotting malware has increased in recent years. In this article, we examined only two types of jackpotting malware, namely, Ploutus and Cutlet Maker. However, many other types currently exist (e.g., WinPot, Tyupkin virus and Prilex). All these malware applications have the potential to quickly empty a large number of ATMs.

As shown above, the operation of jackpotting malware is rather simple. It consists of three steps: installing the malware, activating the malware and collecting the criminal proceeds. The most effective method to avoid infections with jackpotting malware is to prevent criminals from completing the first step. This can be done by taking both application and physical security measures.

Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.



  1. ATM Jackpotting: How to Protect Your Machines, PaymentsJournal
  2. ATM Hacking Has Gotten So Easy, the Malware's a Game, Wired
  3. EU: ATM jackpotting attacks earn crooks less than €1,000 in the first half of 2019, ZDNet
  4. Malware That Spits Cash Out of ATMs Has Spread Across the World, Vice
  5. I was a teenage 'money mule', BBC Money News
  6. First ‘Jackpotting’ Attacks Hit U.S. ATMs, Krebs on Security
  7. Ploutus, NJCCIC
  8. Cutlet Maker, NJCCIC
  9. New Variant of Ploutus ATM Malware Observed in the Wild in Latin America, FireEye
  10. New malware hacks ATMs to spit out free cash, TechRadar
  11. Lewis, T., ‘Critical Infrastructure Protection in Homeland Security: Defending a Networked Nation’, John Wiley & Sons, 2019
Daniel Dimov
Daniel Dimov

Dr. Daniel Dimov is the founder of Dimov Internet Law Consulting (, a legal consultancy based in Belgium. Daniel is a fellow of the Internet Corporation for Assigned Names and Numbers (ICANN) and the Internet Society (ISOC). He did traineeships with the European Commission (Brussels), European Digital Rights (Brussels), and the Institute for EU and International law “T.M.C. Asser Institute” (The Hague). Daniel received a Ph.D. in law from the Center for Law in the Information Society at Leiden University, the Netherlands. He has a Master's Degree in European law (The Netherlands), a Master's Degree in Bulgarian Law (Bulgaria), and a certificate in Public International Law from The Hague Academy of International law.