OMAHA – A federal grand jury in the District of Nebraska has returned an additional indictment last week charging 31 individuals for their roles in a large conspiracy to deploy malware and steal millions of dollars from ATMs in the United States, a crime commonly referred to as “ATM jackpotting.” Fifty-six others have already been charged. Many of the defendants charged in this Homeland Security Task Force operation are Venezuelan and Colombian nationals including illegal alien Tren de Aragua (TdA) members. This indictment alleges 32 counts including conspiracy to commit bank fraud, conspiracy to commit bank burglary and computer fraud, bank fraud, bank burglary, and damage to computers.

“This latest indictment demonstrates the Criminal Division’s commitment to dismantling cartels, including when they attack our nation’s financial systems with sophisticated malware,” said Assistant Attorney General A. Tysen Duva of the Justice Department’s Criminal Division. “The announcement of charges against a total of 87 defendants underscores both the massive scale of these alleged conspiracies and the strength and skill of our investigators and prosecutors who dismantle them. As cartels level up their criminal game, so will we.”

“Tren de Aragua uses ATM jackpotting crimes committed all across America to fund its terrorist organization which is responsible for horrific crimes such as human trafficking (to include sex trafficking of children in Nebraska), kidnapping, murder and other unspeakably evil and violent acts, said U.S. Attorney Lesley A. Woods for the District of Nebraska. “The U.S. Attorney’s Office for the District of Nebraska will fight TdA directly by taking every action at our disposal to shut down their financial pipeline and handicap their ability to terrorize American communities.”

The alleged conspiracy developed and deployed a variant of malware known as Ploutus, which was used to hack into ATMs and force ATMs to dispense cash. The conspiracy relied on the recruitment of a number of individuals to deploy Ploutus malware nationwide. Members of the conspiracy and TdA would travel in groups, using multiple vehicles, to the locations of targeted banks and credit unions. These groups would conduct initial reconnaissance and take note of external security features at the ATMs. Following this reconnaissance, the groups would open the hood or door of ATMs and then wait nearby to see whether they had triggered an alarm or a law enforcement response. The groups would then take steps to install malware on the ATMs, by removing the hard drive and installing the malware directly, by replacing the hard drive with one that had been pre-loaded with the Ploutus malware, or by connecting an external device such as a thumb drive that would deploy the malware. The Ploutus malware’s primary purpose was to issue unauthorized commands associated with the Cash Dispensing Module of the ATM in order to force withdrawals of currency. The Ploutus malware was also designed to delete evidence of malware in an effort to conceal, create a false impression, mislead, or otherwise deceive employees of the banks and credit unions from learning about the deployment of the malware on the ATM. Members of the conspiracy would then split the proceeds in predetermined portions.