TL;DR
Two Nebraska indictments charge 54 alleged members of Venezuelan gang Tren de Aragua with ATM jackpotting using a Ploutus malware variant. DOJ figures show more than $40 million lost to ATM tampering and malware since 2020; prosecutors say the case is part of a wider multi-state crackdown that includes violent-crime allegations against hundreds of alleged members.
What happened
Federal prosecutors in Nebraska returned two indictments charging 54 individuals alleged to be members of the Venezuelan gang Tren de Aragua in a series of ATM jackpotting incidents across the United States. Court filings allege suspects targeted certain banks and credit unions, inspected ATMs for external security, opened machine doors to test whether alarms or rapid law-enforcement responses would occur, then installed a Ploutus malware variant. Methods described include removing and reinstalling hard drives after loading malware, swapping in drives already preloaded with Ploutus, or using external USB drives to deploy the code. Ploutus, first observed in Mexico around 2013, is designed to control an ATM’s cash-dispensing module so attackers can issue commands that force machines to eject bills. The Justice Department says ATM jackpotting activities have accounted for more than $40 million in losses since 2020, though it did not specify how much of that is tied to these defendants. The indictments sit alongside broader charges against alleged TdA members for violent and transnational crimes.
Why it matters
- Malware that can directly control an ATM’s cash dispenser poses immediate financial and physical risks at retail and banking locations.
- The alleged blend of physical tampering and malware deployment shows how organized groups combine cyber and hands-on tactics.
- DOJ’s $40 million figure since 2020 illustrates the scale of ATM jackpotting as a persistent criminal scheme.
- Prosecutions targeting TdA form part of a multi-state enforcement effort addressing both cyber-enabled theft and violent transnational crime.
Key facts
- Two indictments in Nebraska charge a total of 54 alleged Tren de Aragua members in ATM jackpotting operations.
- Court documents allege use of a Ploutus malware variant to force ATMs to dispense cash.
- Alleged methods included removing or swapping ATM hard drives and deploying malware via external USB drives.
- Ploutus was first thought to have been observed in Mexico in 2013 and targets ATM cash-dispensing modules.
- The Justice Department says ATM jackpotting and related tampering have resulted in over $40 million stolen since 2020.
- Indictments against alleged TdA members also include charges for assault, money laundering, and sex trafficking of minors.
- DOJ unsealed separate charges tied to violent crimes by more than 70 alleged TdA members, including murder, kidnapping, and drug trafficking.
- Two suspected TdA leaders were indicted in Colorado on various charges, including alleged RICO offenses.
- Alleged TdA co-leader Hector Rusthenford Guerrero Flores was charged in New York and remains at large with a reported $5 million bounty.
What to watch next
- Criminal proceedings in Nebraska against the 54 defendants named in the ATM indictments (confirmed in the source).
- Whether authorities capture or extradite Hector Rusthenford Guerrero Flores — not confirmed in the source.
- The outcomes of expanded multi-state enforcement and Joint Task Force Vulcan actions against Tren de Aragua affiliates — not confirmed in the source.
Quick glossary
- Ploutus: A family of malware that targets ATMs’ cash-dispensing functionality, allowing attackers to issue commands that make machines eject bills.
- ATM jackpotting: Criminal technique combining physical tampering and malware to force an ATM to dispense cash illicitly.
- Tren de Aragua (TdA): A Venezuelan criminal organization that U.S. officials have said is involved in transnational crimes; recent indictments allege members carried out ATM jackpotting and a range of violent offenses.
- RICO: Racketeer Influenced and Corrupt Organizations Act, a U.S. federal law often used to prosecute organized criminal enterprises.
Reader FAQ
What is Ploutus and how does it work?
Ploutus is malware that targets the cash-dispensing module of ATMs, enabling attackers to send commands that make machines release currency.
How much money was stolen in these ATM attacks?
The Justice Department reports more than $40 million stolen via ATM tampering and malware since 2020, but it did not say how much of that is attributed to these defendants.
Are any alleged leaders in custody?
Two suspected leaders were indicted in Colorado; the alleged co-leader Hector Rusthenford Guerrero Flores was charged in New York and remains at large with a reported $5 million bounty.
Is this part of a larger law enforcement effort?
Yes. The indictments are part of an expanded multi-state crackdown that federal officials say targets hundreds of alleged Tren de Aragua members; Joint Task Force Vulcan’s remit was broadened to include TdA.
CYBER-CRIME 22 ATM jackpotting gang accused of unleashing Ploutus malware across US Latest charges join the mountain of indictments facing alleged Tren de Aragua members Connor Jones Fri 19 Dec 2025 // 20:15 UTC…
Sources
- ATM jackpotting gang accused of unleashing Ploutus malware across US
- Tren De Aragua Members and Leaders Indicted in Multi …
- Justice Department announces indictments in alleged …
- US indicts multi-million dollar ATM jackpotting scheme actors
Related posts
- NIST considered disabling NTP feeds after Boulder blackout caused clock drift
- Google shutters Dark Web Report, nudges users toward other security tools
- Apple and Google begrudgingly allow alternative app stores in Japan