As long as there are ATMs, hackers will be there to drain them of money. Although ATM-targeted “jackpotting” malware—which forces machines to spit out cash—has been on the rise for several years, a recent variation of the scheme takes that concept literally, turning the machine’s interface into something like a slot machine. One that pays out every time.

As detailed by Kaspersky Lab, so-called WinPot malware afflicts what the security researchers describe only as a “popular” ATM brand. To install WinPot, a hacker needs either physical or network access to a machine; if you cut a hole in the right spot, it's easy enough to plug into a serial port. Once activated, the malware replaces the ATM's standard display with four buttons labeled “SPIN”—one for each cassette, the cash-dispensing containers within an ATM. Below each of those buttons, it shows the number of bank notes within each given cassette, as well as the total values. Tap SPIN, and out comes the money. Tap STOP, and well, you know. (But at that point, ATM cyberthief, why would you?)

“These people do have a sense of humor and some spare time.” Konstantin Zykov, Kaspersky Lab

Kaspersky started tracking the WinPot family of malware back in March of last year, and in that time has seen a few technical versions on the theme. In fact, WinPot appears to be something of a variation in its own right, inspired by a popular ATM malware dating back to 2016 called Cutlet Maker. Cutlet Maker also displayed detailed information about the contents of its victim ATMs, though rather than the slot motif it used an image of a stereotypical chef giving a wink and the hand gesture for “OK.”

Kaspersky Lab

The similarities are a feature, not a bug. “The latest versions of ‘cashout’ ATM software contain only small improvements compared with previous generations,” says Konstantin Zykov, senior security researcher at Kaspersky Lab. “These improvements allow the criminals to automate the jackpotting process because time is critical for them.”

That also goes some way to explaining the absurdist bent ATM hackers have embraced of late, an atypical trait in a field devoted to secrecy and crime. ATM malware is fundamentally uncomplicated and battle-tested, giving its proprietors space to add some creative flair. The whimsical tilt in WinPot and Cutlet Maker “is not usually found in other kinds of malware,” Zykov adds. “These people do have a sense of humor and some spare time.”

After all, ATMs at their core are computers. Not only that, they're computers that often run outdated, even unsupported versions of Windows. The primary barrier to entry is that most of these efforts require physical access to machine, which is one reason why ATM malware hasn’t become more popular in the US, with its relatively pronounced law-enforcement presence. Many ATM hackers deploy so-called money mules, people who assume all the risk of actually extracting money from the device in exchange for a piece of the action.