Skip to content
Courts & Justice

ATM Jackpotting Sentencing Ledger: Ploutus Malware, Bank Restitution, Nebraska Arrests

No paywall
4 sources
2,165 words
Pass

Listen
Document Desk voice
Ready when you are.



Status, June 27 source check: source-cleared for a BadPD cyber/public-safety court ledger. The controlling source is the Justice Department’s June 26, 2026 release saying Carlos Javier Padron and Oddry Arnoldo Cabrera Torrealba received 78-month prison sentences in an ATM jackpotting case involving Ploutus malware and victim-bank restitution.

BadPD is not using DOJ’s immigration-status language as the frame. The public-interest file here is conduct and records: malware deployed against ATMs, unauthorized cash withdrawals, guilty pleas, restitution, a Lincoln, Nebraska arrest point, related indictments, and technical mitigation receipts from the FBI.

Why this case matters

ATM jackpotting is not ordinary card fraud. In a jackpotting attack, the target is the machine itself. DOJ says the conspiracy used a Ploutus malware variant to issue commands to ATM cash-dispensing modules and force unauthorized withdrawals. The FBI’s February 2026 IC3 FLASH describes the same family of risk: malware-enabled attacks that can bypass normal bank authorization and cause ATMs to dispense cash without a legitimate transaction.

The case matters for banks, credit unions, local police, ATM operators, and consumers because the attack can happen fast and may not be visible until cash has already left the machine. The FBI said it had observed an increase in malware-enabled ATM jackpotting incidents across the United States. The alert said more than 700 of 1,900 reported incidents since 2020 occurred in 2025 and involved more than $20 million in losses.

That makes the sentencing more than a punishment headline. It is also a practical receipt for what the public should be able to track next: restitution, malware indicators, ATM physical security, remote-access controls, local law-enforcement alerts, and whether the broader indictment network is proved in court.

The simple version is this: two defendants admitted roles in a scheme that made cash machines pay out without normal authorization. DOJ says the loss ledger reached more than $1.5 million in restitution. FBI says the technical risk is not isolated. That combination deserves a public file because sentencing alone does not show whether the money is recovered, whether the machine weakness is closed, or whether other cases in the same investigation end in convictions, dismissals, pleas, or acquittals.

BadPD is treating this as a public-safety and financial-system accountability item. It is not a reason to smear a nationality, a neighborhood, or an immigration category. The conduct is the file. The evidence is the file. The missing records are the file.

What DOJ says happened

DOJ says Padron, 36, was sentenced to 78 months in prison for his role in a conspiracy to deploy malware and steal money from ATMs in the United States. DOJ says Torrealba, 37, also known as Luis Alejandro Berdugo Barraza, was sentenced on June 11 to 78 months in prison for similar conduct.

According to DOJ, both defendants pleaded guilty to one count of conspiracy to commit bank burglary and one count of computer fraud and intentional damage to a protected computer. The court also ordered both defendants to jointly pay $1,537,696 in restitution to multiple victim banks.

DOJ says Padron and Torrealba were part of a sophisticated criminal network responsible for ATM jackpottings throughout the United States. It says the network developed and deployed Ploutus malware on ATMs, and that individuals including Padron and Torrealba deployed the malware in person. DOJ says the two were arrested by Lincoln, Nebraska Police at the site of a jackpotting in October 2024.

The guilty-plea point matters. It separates the current defendants from the larger pool of people DOJ says have been indicted. For Padron and Torrealba, the source set includes guilty pleas, sentences, and restitution. For the broader group, the public file is still allegation-heavy unless and until a docket shows a plea, trial verdict, sentence, dismissal, or other final action.

The restitution point also needs follow-through. A restitution order is not the same thing as collection. Readers should watch for payment schedules, forfeiture records, seized assets, garnishment records, victim-bank allocation details, and later court filings that show whether any money actually moves back to the institutions DOJ identified as victims.

The Ploutus malware receipt

The FBI technical alert gives useful context for the word “Ploutus.” FBI says Ploutus-family malware can exploit the software layer that tells an ATM what to physically do. If an attacker can issue commands through that layer, the attacker can bypass bank authorization and instruct the machine to dispense cash on demand.

The FBI alert says common infection methods include removing an ATM hard drive, copying malware to it, replacing it with another device or hard drive, and rebooting the ATM. The alert also lists categories of indicators, including unexpected executable files, new directories, unauthorized remote-access tools, abnormal autoruns, custom services, and USB or external-device events.

BadPD is not publishing the FBI indicators as operational instructions. The accountability point is that the federal technical warning existed before this sentencing release and gives banks and ATM operators a concrete checklist. A complete public file should connect sentencing outcomes to prevention controls.

For a nontechnical reader, the important distinction is that this is not a story about someone guessing a customer PIN. The alleged and admitted conduct is aimed at the ATM’s own software and hardware environment. That is why the file belongs in both the court desk and the infrastructure desk. If machines can be opened, altered, rebooted, or remotely controlled without fast detection, the weak point is partly operational, not just criminal.

That does not mean every ATM is unsafe or that customers should panic. It means financial institutions should have a clear answer to a narrow question: after the FBI warning and after prosecutions tied to this malware family, what changed in device monitoring, physical access controls, vendor maintenance, incident reporting, and local police coordination?

Useful public answers would not require banks to disclose sensitive security details. They could confirm that an institution reviewed the FBI alert, patched affected devices where applicable, limited unauthorized tools, tightened service access, trained branch staff on suspicious ATM activity, and improved escalation paths for police and federal cyber contacts.

Broader indictment claims need careful labels

DOJ says that, after the arrests of Padron and Torrealba, a broader investigation identified co-conspirators in the United States and abroad. The June 26 release says 96 other defendants have been indicted for roles in the conspiracy or related offenses. It also says the investigation established direct and indirect links between indicted co-conspirators and Tren de Aragua.

Those are serious government statements. They also need precise labels. An indictment is not a conviction, and a network claim should not be turned into guilt for unnamed people, unrelated migrants, or any protected class. BadPD’s post keeps the current confirmed facts separate from pending allegations: Padron and Torrealba pleaded guilty and were sentenced; other defendants and broader network claims remain court-record matters to track by docket.

DOJ’s additional-indictment background release adds earlier procedural context for the broader operation. It describes alleged reconnaissance, ATM access, malware installation, lookouts, cash removal, and movement of funds. That background is useful, but the current article’s live hook is the two sentencings and the restitution order.

This distinction is not cosmetic. If the public record blurs convictions, indictments, association claims, and identity labels, readers lose the ability to tell what a court has actually resolved. Bad public framing can also make it harder to scrutinize the government, because sloppy claims invite sloppy rebuttals. The cleaner standard is simple: quote the government when the government makes a claim, label the procedural status, and keep the door open for later records that prove, narrow, or contradict the claim.

For this ledger, that means the two sentencings are the hard hook. The 96 related indictments are a watch list. Any gang-link language remains attributed to DOJ and court documents. Any future post should attach docket numbers, case captions, plea records, judgments, or trial outcomes before treating separate defendants as proved participants.

KETV and local Nebraska context

KETV’s June 26 local report tracked the Nebraska angle for readers near the case: the sentencing, the ATM jackpotting scheme, and the connection to law enforcement activity in Nebraska. Local reporting is useful here because the federal release names Lincoln Police as the agency that arrested Padron and Torrealba at the site of a jackpotting in October 2024.

That local arrest fact is part of the public-service receipt. A cybercrime case can sound remote until a local police department encounters suspects at a machine. The prevention question is whether ATM operators and local officers have the technical indicators, evidence-handling instructions, and agency contacts needed before the next machine is opened.

Local agencies do not need to become malware labs to play a useful role. They need a clear escalation path when officers find tools, opened ATM panels, suspicious vehicles, unusual service activity, or a machine dispensing cash outside a normal transaction. The local public-interest question is whether dispatchers, patrol officers, detectives, financial-crimes units, and federal task-force contacts have a shared playbook.

That is why Nebraska is not just a location tag. It is the place where DOJ says arrests happened at a jackpotting site. The next useful local receipt would be an after-action policy, training bulletin, police report, probable-cause filing, or court exhibit that shows what evidence was recovered and how officers recognized the incident in real time.

What banks and regulators should be able to show

A public-facing bank response can be careful without being empty. Banks do not need to publish device passwords, alarm thresholds, vendor contracts, or detection rules. They can still confirm whether they reviewed the FBI alert, checked affected ATM fleets, updated vendor access controls, reviewed service logs, and refreshed staff reporting procedures.

Regulators and banking associations can also help by publishing plain guidance that does not teach the attack. Useful guidance would describe warning categories, reporting channels, documentation steps, and consumer-facing reassurance. Consumers mostly need to know that jackpotting targets machines, not a customer’s normal debit-card use. Operators need much more detail, but that can move through secure channels.

For public accountability, the question is whether the institutional response matches the scale of the loss claims. DOJ says restitution was ordered at $1,537,696. FBI says the national incident picture has grown. If those numbers are accurate, the prevention response should leave records behind: memos, advisories, training notices, vendor directives, insurance filings, or regulator communications.

Confirmed, alleged, pending, and not established

Confirmed by the source set

  • DOJ published the sentencing release on June 26, 2026.
  • DOJ says Padron and Torrealba each received a 78-month sentence.
  • DOJ says both pleaded guilty to conspiracy to commit bank burglary and computer fraud/intentional damage to a protected computer.
  • DOJ says both were ordered to jointly pay $1,537,696 in restitution to multiple victim banks.
  • DOJ says the case involved Ploutus malware and ATM jackpotting.
  • DOJ says Lincoln, Nebraska Police arrested the two at a jackpotting site in October 2024.
  • FBI IC3 says malware-enabled ATM jackpotting incidents increased across the United States and published technical mitigation indicators in February 2026.

Alleged or pending in court records

  • DOJ says 96 other defendants have been indicted in the broader conspiracy or related offenses.
  • DOJ says the investigation has direct and indirect links between indicted co-conspirators and TdA.
  • Any guilt, role, or sentencing outcome for defendants other than Padron and Torrealba needs separate docket-level proof.

Missing records to verify

  • Judgment entries for both defendants.
  • Restitution schedule, payment status, and victim-bank allocation records.
  • Forfeiture orders or asset-recovery records.
  • Case docket numbers for related indictments and any severed cases.
  • Whether ATM operators implemented the FBI mitigation checklist after related incidents.
  • Whether any local agencies issued updated ATM jackpotting guidance after the Lincoln arrests.

Not established by this source set

  • That every person described in related indictments has been convicted.
  • That immigration status, nationality, or ethnicity explains the crime.
  • That consumers’ individual bank accounts were directly compromised by the Ploutus technique described by FBI.
  • That the restitution has been fully collected.

BadPD record demand

The next useful update is court-record proof. BadPD will watch for the judgment entries, restitution ledger, asset forfeiture filings, related indictment docket numbers, plea agreements, and any sentencing memos that clarify the defendants’ exact roles. The technical lane should also stay open: ATM operators, financial regulators, and local agencies should be able to show what changed after the FBI alert and the Lincoln arrests.

The takeaway is straightforward. A federal sentence says two defendants were punished. The accountability file asks whether the banks get restitution, whether the broader cases are proved in court, whether machine operators close the physical and software gaps, and whether public claims stay tied to records instead of identity shortcuts.

Source ledger

Featured image is symbolic editorial artwork created for BadPD. It is not evidence from the case and is not ATM, defendant, or surveillance photography.

Tips + Corrections

Send receipts for the desk to research

Send corrections, missing records, police-accountability tips, good-cop public-service receipts, government/court/war leads, recall alerts, or property-tax help resources. Tips are leads only until BadPD verifies records.

What helps
Links, dates, agency names, docket numbers, bodycam IDs, recall numbers, forms, and official pages.
How we treat it
Every tip is a lead, not a fact. The desk checks records before publishing.
Advertising
Use advertising inquiry when you want clearly labeled sponsor space or available ad placements on BadPD.