OMAHA -- A federal grand jury in the District of Nebraska has returned two indictments charging 54 individuals for their roles in “ATM jackpotting.”   

ATM Jackpotting is a conspiracy to deploy malware and steal millions of dollars from ATMs in the United States. 

 The announcement was made by United States Attorney Lesley A. Woods. 

 An indictment returned on December 9 charges 22 defendants with offenses including conspiracy to provide material support to terrorists, conspiracy to commit bank fraud, conspiracy to commit bank burglary and fraud and related activity in connection with computers, and conspiracy to commit money laundering.

The indictment also alleges that Tren de Aragua (“TdA”) has used jackpotting to steal millions of dollars in the United States and then transferred the proceeds among its members and associates to conceal the illegally obtained cash. 

  One of the individuals named in the Indictment is Jimena Romina Araya Navarro, an alleged Tren De Aragua leader and Venezuelan entertainer who was sanctioned by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC).  OFAC’s press release alleged that Araya Navarro reportedly helped the notorious head of TdA, Hector Rusthenford Guerrero Flores (a.k.a. “Niño Guerrero”) escape from the Tocorón prison in Venezuela in 2012, and others in this network have laundered money for TdA leaders.  

Jimena Romina Araya Navarro was indicted by the grand jury for the District of Nebraska for material support to Tren De Aragua for factual allegations stemming from TdA’s nationwide ATM jackpotting scheme that included burglaries of many ATMs in Nebraska.  Jimena Romina Araya Navarro has been publicly photographed at parties and social events with the alleged head of TdA Nino Guerrero. 

  An October 21, 2025 indictment charges 32 individuals and alleges 56 counts including one count of conspiracy to commit bank fraud, one count of conspiracy to commit bank burglary and computer fraud, 18 counts of bank fraud, 18 counts of bank burglary, and 18 counts of damage to computers. 

If convicted, the defendants face a maximum term of imprisonment ranging between 20 and 335 years.  

 “Many millions of dollars were drained from ATM machines across the United States as a result of this conspiracy and that money is alleged to have gone to Tren de Aragua leaders to fund their terroristic activities and purposes.  A tirelessly dedicated team of Nebraska law enforcement agents and officers banded together to identify this vast international criminal network and to follow the money trail of this devastating financial crime back to its terroristic roots in Venezuela.  The agents, analysts, detectives, and officers who came together on this case were able to expose this conspiracy from its lowest levels to the alleged mastermind behind the malware that was deployed against American ATMs all across the nation. The members of Nebraska law enforcement who selflessly dedicated themselves to this mission have not only made Nebraska safer from a designated terrorist organization by removing dozens of TdA members from Nebraska but have also dealt a blow to an organization with international reach and impact. This case demonstrates what state, federal, and local law enforcement officers can accomplish when they fully join forces. The United States Attorney’s Office stands ready to fight alongside our law enforcement partners to defeat any threat to national security and to Nebraska’s security.  TdA members will find no safe harbor in the State of Nebraska,” United States Attorney Lesley Woods said. 

 According to court documents, TdA is a violent transnational criminal organization that originated as a prison gang in Venezuela in the mid-2000s. TdA has expanded its criminal network throughout the Western Hemisphere and established a presence in the United States. 

  “Tren de Aragua is not just a criminal gang; they are a ruthless terrorist organization that preys on communities, spreads fear, and bankrolls violence across borders. HSI and our law enforcement partners will track you down, break up your networks, and ensure you never find safe harbor in the United States. Our mission is to protect American families from predators who think they can operate with impunity. We will not tolerate foreign terrorists stealing from our citizens and threatening our homeland. Our communities are safer today because of the relentless work of this team, and we are just getting started,” said HSI Kansas City Special Agent in Charge Mark Zito. 

TdA’s criminal activities include a variety of violent and criminal offenses, including drug trafficking, firearms trafficking, commercial sex trafficking, kidnapping, robbery, theft, fraud, and extortion.  TdA members also commit murder, assault, and other acts of violence to enforce and further the organization’s criminal activities.  

TdA has developed an additional source of revenue stream through financial crimes that target financial institutions throughout the United States, including using jackpotting to steal millions of dollars in cash. 

The alleged conspiracy developed and deployed a variant of malware known as Ploutus, which was used to hack into ATMs and force ATMs to dispense cash. The conspiracy relied on the recruitment of a number of individuals to deploy Ploutus malware nationwide.  

Members of the conspiracy and TdA would travel in groups, using multiple vehicles, to the locations of targeted banks and credit unions. These groups would conduct initial reconnaissance and take note of external security features at the ATMs. Following this reconnaissance, the groups would open the hood or door of ATMs and then wait nearby to see whether they had triggered an alarm or a law enforcement response.  

The groups install malware on the ATMs by replacing the hard drive with one that had been pre-loaded with the Ploutus  malware, or by connecting an external device such as a thumb drive that deploys the malware. 

The Ploutus malware’s primary purpose is to issue unauthorized commands associated with the Cash Dispensing Module, forcing withdrawals of currency.  

The Ploutus malware was also designed to delete evidence of malware in an effort to conceal, create a false impression, mislead, or otherwise deceive employees of the banks and credit unions from learning about the deployment of the malware on the ATM.