A federal grand jury in Nebraska has issued a new indictment in a major international cybercrime case involving an “ATM jackpotting” scheme tied to the violent transnational gang Tren de Aragua (TdA). The latest charges bring the total number of defendants accused in the operation to 87, highlighting the growing threat of malware-driven attacks on financial institutions across the United States.
The additional indictment charges 31 individuals for their alleged roles in a large conspiracy to deploy malware and steal millions of dollars from ATMs, a crime widely known as ATM jackpotting. Fifty-six other defendants had already been charged in earlier cases.
Prosecutors say many of those involved are Venezuelan and Colombian nationals, including illegal alien members of Tren de Aragua, which has been designated a Foreign Terrorist Organization.
The indictment includes 32 counts, such as conspiracy to commit bank fraud, conspiracy to commit bank burglary and computer fraud, and damage to computers.
Justice Department Highlights Terror and Financial Crime Connection
Attorney General Pamela Bondi described Tren de Aragua as more than a financial crime network.
“Tren de Aragua is a complex terrorist organization that commits serious financial crimes in addition to horrific rapes, murders, and drug trafficking,” Bondi said. “This Department of Justice has already prosecuted more than 290 members of Tren de Aragua and will continue working tirelessly to put these vicious terrorists behind bars after the prior administration let them infiltrate our country.”
Deputy Attorney General Todd Blanche emphasized the Justice Department’s focus on dismantling the group.
“A large ring of criminal aliens allegedly engaged in a nationwide conspiracy to enrich themselves and the TdA terrorist organization by ripping off American citizens,” Blanche said. “The Justice Department’s Joint Task Force Vulcan will not stop until it completely dismantles and destroys TdA and other foreign terrorists that import chaos to America.”
Ploutus Malware Used in ATM Jackpotting Scheme
According to court documents, the conspiracy developed and deployed a variant of malware known as Ploutus, which was used to hack into ATMs and force them to dispense cash.
Investigators allege the group recruited individuals across the country to carry out the attacks. Members would travel in teams, often using multiple vehicles, to targeted banks and credit unions.
The operation typically involved reconnaissance first. Groups would inspect the ATM’s external security features, then open the hood or access panel and wait nearby to see whether alarms were triggered or law enforcement responded.
Once the area appeared clear, attackers allegedly installed Ploutus malware in several ways, including removing and replacing hard drives or connecting external devices like thumb drives to deploy the malicious software.
The malware’s main function was to issue unauthorized commands to the ATM’s cash dispensing module, forcing withdrawals of currency. Prosecutors also say Ploutus was designed to delete evidence of the attack to mislead banks and conceal the intrusion.
Proceeds were then split among members in predetermined portions.
Task Force Vulcan Targets TdA’s Financial Pipeline
U.S. Attorney Lesley A. Woods for Nebraska said the case is part of a broader effort to stop the gang’s funding.
“Tren de Aragua uses ATM jackpotting crimes committed all across America to fund its terrorist organization,” Woods said, adding that authorities are working to “shut down their financial pipeline and handicap their ability to terrorize American communities.”
Joint Task Force Vulcan Co-Director Chris Eason warned that malware-driven attacks on financial institutions will not be tolerated.
“Using sophisticated malware to empty ATMs and damage U.S. financial institutions that also fund TdA’s terrorist activity will not be tolerated,” he said.
FBI Omaha Special Agent in Charge Eugene Kowel noted that the conspiracy poses a direct threat nationwide.
“This case highlights TdA’s plot to deploy malware to steal vast funds from financial institutions across the United States,” Kowel said.
Previous Indictments and Potential Sentences
The latest indictment follows earlier cases returned in October and December 2025. Prosecutors allege TdA conducted jackpotting attacks across America, stealing millions and transferring proceeds among members to conceal illegally obtained cash.
If convicted, defendants face maximum prison terms ranging from 20 to 335 years.
Tren de Aragua originated as a Venezuelan prison gang in the mid-2000s and has since expanded throughout the Western Hemisphere. U.S. officials say the organization is involved in drug trafficking, sex trafficking, kidnapping, robbery, fraud, extortion, and murder.
The Justice Department says ATM jackpotting has become one of the gang’s key revenue streams, making financial cybercrime a central part of its operations.
