BID® Daily Newsletter
Sep 4, 2025

BID® Daily Newsletter

Sep 4, 2025

ATM Thieves Have Upped Their Game — So Can You

Summary: Criminals are finding more sophisticated ways to try to steal money from ATMs. We detail some of the latest methods and how CFIs can thwart them.

One dramatic way to steal money from an ATM: bomb it open. That’s what happened this August at a Target store in San Ramon, Calif. The last free member of a South American heist crew was arrested for allegedly detonating an explosive to crack open an ATM at the store. The crew — all now locked up — had already stolen more than $4MM in cash from dozens of ATMs and banks in California, Oregon, and Washington.
Criminal attacks on ATMs are becoming more complex than ever, so community financial institutions (CFIs) have to be just as smart to defend against them.
“For community banks, the challenge is enhancing security while staying mindful of budgetary constraints,” says Scott Anchin of the Independent Community Bankers of America (ICBA). “That’s where policy support and close vendor partnerships, with adequate due diligence, can really make a difference.”
CFIs need a more proactive and multilayered security strategy to combat ever more sophisticated high-tech attacks against ATMs, including skimming, shimming, jackpotting, malware, and black box tactics, says Diebold Nixdorf’s Jodi Neiding. “Physical reinforcements are still critical, but today’s defense is increasingly digital and intelligent.”
Current ATM Threats and How To Prevent Them
Here are some of the latest ways that criminals are targeting ATMs and recommendations on how CFIs can thwart them:
Threat: Transaction reversal fraud. Criminals push the withdraw request button on an ATM, and the machine “pre-stages” the cash in the closed dispenser. But before the door opens, criminals jam something into the card reader, causing a “fault” message to the transaction host, which reverses the charge to the account. As this happens, criminals simultaneously pull open the shutter and steal the cash that was pre-staged.
Solution. CFIs should always install ATM vendor updates, as they now include commands for ATMs to not pre-stage cash. Moreover, CFIs should change the rules governing the transaction host to “favor the bank,” so customer accounts are immediately debited, no matter if a “fault” like a jam occurs. This can at least log the transaction, in the hope that the customer notices an ATM visit that wasn’t made by them, causing an investigation.
Threat: UNC2891. Also known as Lightbasin, the threat actor especially likes to target ATMs powered by Unix systems, with Oracle Solaris-based network switches. UNC2891 installs a small computer called a Raspberry Pi onto the ATM network switch. A 4G modem on the computer enables the threat actor to have remote access to data within the FI’s internal network. Then UNC2891 uses Tinyshell, an open-source backdoor for Unix systems, to execute file transfer commands, ultimately deploying Caketap, malware to fraudulently withdraw cash from the financial institution’s (FI’s) ATMs. The threat actor’s latest attempt on an FI’s ATM network was thwarted by cybersecurity firm Group-IB.
Solution. Group-IB recommends that FIs physically secure switch ports and ATM-connected infrastructure; monitor the type of commands that UNC2891 uses, called “mount and umount syscalls;” and block or create an alert when commands to execute malware are detected, from “/tmp or .snapd” paths. If an attack occurs, FI should also investigate any hidden processes by capturing images at every point in time in the network’s temporary memory, as that’s where the malware is actually placed.
Threat: Offline logical attacks. Criminals open an ATM and take out its hard disk and insert it into their own computer. They then put malware onto the hard disk and reinsert the disk into the ATM, enabling them to fraudulently withdraw money remotely.
Solution. CFIs should encrypt their ATMs’ hard disks with endpoint protection software that can only be accessed by their parent computers, preventing criminals from using their own computers to inject malware into the disks.
Threat: Pulling off ATM doors with a chain. Criminals hook chains from their vehicles to the security doors of older drive-up ATMs and then drive to pull them off, stealing the cash that is stored inside.
Solution. CFIs should consider modernizing their ATM fleets with next-generation machines that can better withstand such attacks, in part by making it harder to actually hook chains onto the security doors. Some vendors are also now adding barrier gates in front of drive-up ATMs.
Thwarting would-be attacks takes more than just what an individual CFI can do — it takes sharing information with other FIs, as well as with law enforcement and regulators, ICBA’s Anchin says. “ATM security is part of a broader conversation about consumer trust and financial access,” he says. “Customers’ sense of safety is so important.”
Protect your ATMs against increasingly sophisticated attacks with a multilayered approach that combines increased physical security measures with software and enhanced security protocols.
Subscribe to the BID Daily Newsletter to have it delivered by email daily.

Related Articles:

Rethinking SMS for Two-Factor Authentication
Text message one-time passcodes are increasingly vulnerable to interception. We discuss the concerns and the alternatives CFIs should consider to boost security.
Is AI Handing Cybercriminals the Keys to Financial Accounts?
OpenAI’s CEO says banks are too vulnerable to AI-powered attacks, and he fears a wave of fraud will sweep through the industry. Here are some defensive moves CFIs can take now.