Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
A federal grand jury in the District of Nebraska has indicted a total of 54 people accused of participating in a vast criminal operation that used malware to steal millions of dollars from U.S. ATMs. The investigation concerns so-called “ATM jackpotting,” a technique that allows ATMs to be forced to dispense cash without the use of legitimate cards or codes.
The announcement was released on Thursday, December 18, 2025, by the United States Attorney’s Office for the District of Nebraska. The contested activities are reportedly linked to the Tren de Aragua (TdA), a Venezuelan-based transnational criminal organization designated as a foreign terrorist organization.
An initial indictment, issued on December 9, 2025, implicates 22 defendants and includes charges of conspiracy to provide material support to a terrorist organization, bank fraud, burglary, computer crimes, and money laundering. Authorities believe that the proceeds obtained through jackpotting were redistributed among the group’s members and affiliates to conceal their illicit origin.
Among those named is Jimena Romina Araya Navarro, a Venezuelan artist identified as a leading member of the Aragua Tren and already sanctioned by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC). According to information released by OFAC, Araya Navarro facilitated the escape from Tocorón prison in 2012 of Hector Rusthenford Guerrero Flores, known as “Niño Guerrero,” believed to be the group’s historic leader. The defendant has been formally charged with materially supporting the Aragua Tren in connection with the jackpotting scheme, which allegedly also affected numerous ATMs located in the state of Nebraska. Araya Navarro has reportedly been photographed in public with Guerrero Flores on several occasions.
A second indictment, filed on October 21, 2025, concerns an additional 32 individuals and comprises a total of 56 charges. These include bank fraud, burglary, computer system damage, and computer fraud, with numerous incidents being investigated nationwide.
If convicted, the defendants face prison sentences ranging from a minimum of 20 years to a maximum total of 335 years, depending on their individual responsibilities.
According to the Department of Justice , the groups involved operated in a structured and repetitive manner. The teams traveled in multiple vehicles, conducted inspections of banks and credit unions, analyzed security systems, and, after ensuring no alarms had been triggered, proceeded to physically tamper with the ATMs. The malware was installed by removing or replacing the ATM’s hard drive, or by connecting external devices such as USB flash drives.
The variant used, identified as Ploutus, allowed unauthorized commands to be sent to the cash dispensing module, forcing the dispensing of cash. The software was also designed to erase traces of its presence, with the aim of delaying the detection of the attack by financial institutions. The profits obtained were then split according to predetermined percentages.
Investigations have documented jackpotting incidents in numerous US states. Authorities have also reconstructed a geographic map of the attacks and estimated, updating the data to August 2025, total losses of several million dollars.
According to court documents, the Tren de Aragua originated as a prison gang in Venezuela in the mid-2000s and gradually transformed into a transnational criminal organization with ramifications throughout the Western Hemisphere. The group’s activities range from drug and arms trafficking to kidnapping, sexual exploitation, extortion, murder, and assault. In recent years, U.S. authorities believe the group has also intensified its financial crimes, identifying jackpotting as a particularly lucrative source of revenue.
In 2025 alone, the District of Nebraska indicted a total of 67 members and leaders of the Aragua Tren for a wide range of federal crimes, including supporting a foreign terrorist organization, child sex trafficking, bank fraud, money laundering, and unauthorized access to protected computer systems.
The operation is part of the Homeland Security Task Force (HSTF), established under Executive Order 14159 to combat criminal cartels, foreign gangs, and human trafficking networks operating in the United States and abroad. The task force operates through interagency cooperation involving numerous federal, state, and local agencies.
The investigation was coordinated by the FBI and Homeland Security Investigations in Omaha, with support from numerous FBI field offices nationwide, the Department of Justice, and a wide range of U.S. law enforcement agencies and investigative authorities.
As provided by law, all persons charged are presumed innocent until convicted in a court of law.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
