FBI adds leader of ATM Jackpotting conspiracy to list of 'Ten Most Wanted Fugitives' after increase in cases across US; how criminals infect ATMs

FBI Omaha Special Agent in Charge Eugene Kowel and U.S. Attorney for the District of Nebraska Lesley Woods announced recently that Anibal Alexander Canelon Aguirre has been added to the FBI’s Ten Most Wanted Fugitives list.

Canelon Aguirre is wanted for allegedly leading a large international conspiracy that deploys numerous crews to the U.S. to steal millions of dollars from financial institutions in support of transnational gang Tren de Aragua (TdA), a designated foreign terrorist organization. Since at least January of 2024, Canelon Aguirre and other members of the conspiracy are alleged to have unlawfully enriched themselves by committing ATM jackpotting, a scheme where malware is installed on ATMs to force the unauthorized withdrawal of cash, after which the stolen cash flows through a complex money laundering network.

Increase in malware-enabled ATM Jackpotting incidents across United StatesAccording to FBI alert, criminals are deploying ATM jackpotting malware, including the Ploutus family malware, to infect ATMs and force them to dispense cash. Ploutus malware exploits the eXtensions for Financial Services (XFS), thelayer of software that instructs an ATM what to physically do. When a legitimate transaction occurs, the ATM application sends instructions through XFS for bank authorization.

Common methods used to infect ATMs

After gaining access to ATMs, most often by opening an ATM face with widely available generic keys, ATM jackpotting threat actors have used several main methods to deploy malware:• Threat actors remove the ATM’s hard drive, connect it to their computer, copy the malware to the hard drive, return the hard drive to the ATM, and reboot the ATM.• Threat actors remove the ATM’s hard drive, replace it with a foreign hard drive or other external device with preloaded malware, and reboot the ATM.

How malware infects ATMs

The malware interacts directly with the ATM hardware, bypassing any communications or security of the original ATM software. The malware does not require connection to an actual bank customer account to dispense cash. The malware can be used across ATMs of different manufacturers with very little adjustment to the code as the Windows operating system is exploited during the compromise.FBI suggests banks and financial institutions that a key validation step during ATM incident response is confirming whether file hashes match the organization’s verified baseline.

Each ATM should be deployed from a controlled “gold image” containing cryptographically verified executables, libraries, and configuration files approved by the vendor and the institution. Any deviation from these baseline hashes, particularly the presence of unsigned or newly introduced binaries, should be treated as a potential compromise.

Maintaining and routinely validating system integrity against a gold image is one of the most effective defenses against ATM-targeted malware, as jackpotting threats often rely on locally introduced files that bypass traditional network-based detection.

Arrest warrant against Canelon Aguirre

On December 9, 2025, a federal arrest warrant was issued for Canelon Aguirre in the U.S. District Court, District of Nebraska, after he was charged with: Conspiracy to Commit Bank Fraud; Conspiracy to Commit Bank Burglary and Intentionally Damage a Protected Computer System; Conspiracy to Commit Money Laundering; and Conspiracy to Provide Material Support to Terrorists. This case is being investigated as part of Joint Task Force Vulcan in conjunction with the Computer Crime and Intellectual Property Section (CCIPS) of the Department of Justice’s Criminal Division."Canelon Aguirre led a vast conspiracy to commit cyber attacks against financial institutions in communities across our country on behalf of Tren de Aragua. He and his associates generated a multimillion-dollar revenue stream ultimately funding a foreign terrorist organization," said Special Agent in Charge Eugene Kowel of the FBI Omaha Field Office. "The FBI’s ‘Ten Most Wanted Fugitives’ list highlights the seriousness of Canelon Aguirre’s criminal conduct both at home and abroad.

We are asking for the public’s help in our efforts to apprehend, arrest, and hold Canelon Aguirre accountable for his crimes. The addition of Canelon Aguirre to the list, a first for a cyber criminal, emphasizes our commitment to follow the money and surge resources to stop the threat posed by TdA members and leadership. We will continue driving hard with our partners to identify, disrupt, and dismantle their network here and abroad."