Federal prosecutors say four men used malware to make Connecticut ATMs dispense $529,220 in cash over 10 days, then left investigators a digital trail that included YouTube searches, phone-location data, surveillance footage, and photos of money.
The U.S. Attorney’s Office for the District of Connecticut said the thefts happened between Aug. 8 and Aug. 18, 2025, at ATMs in Milford and at Interstate 95 rest stops in Fairfield, Branford, Madison, and Darien. The group also tried to hit an ATM in Ansonia, but prosecutors said a software patch protected that machine from the attack.
The defendants are Euclides Moreno Itanare, 28, of Raleigh, North Carolina; Willian Ricardo Flores, 49, of the Bronx, New York; Alberto Jose Freites Arvilla, 41, of Queens, New York; and Luis Jose Freites Arvilla, 38, of Lynn, Massachusetts, according to the Justice Department.
All four were arrested June 25 on federal criminal complaints charging interstate transportation of stolen property and conspiracy. The charges are allegations, and the defendants are presumed innocent unless proven guilty.
Prosecutors Say the ATMs Were Forced To Dispense Cash


The method is known as ATM jackpotting. Federal prosecutors said it often involves specialized hardware and malware that force a machine to release the cash stored inside.
The Connecticut complaint described a repeated pattern at the machines, according to DOJ. Luis Freites Arvilla acted as a lookout while Alberto Freites Arvilla opened the ATM hood, accessed internal components, and left the area. Over the next several hours, prosecutors said, Luis Freites Arvilla, Itanare, and Flores took turns withdrawing cash from the compromised ATM.
Prosecutors said the men sometimes changed clothes before walking back to the same ATM again. The alleged spree included eight successful ATM thefts and one failed attempt in Ansonia.
CT Insider, citing the newly unsealed federal complaint, reported that the thefts were tied to ATMs along Interstate 95 and other Connecticut locations. Fox News reported that one of the largest hauls was about $136,000 from an ATM at the I-95 northbound rest stop in Fairfield.
YouTube Searches Became Part of the Evidence
Investigators described more than surveillance footage. CT Insider reported that a YouTube account tied to Alberto Freites Arvilla had viewed repair and maintenance videos for the type of ATMs targeted in the thefts.
The same Google account also had bookmarks to websites selling 3D-printed ATM panels, ATM skimming equipment, and gas-pump skimming instructions, according to CT Insider’s summary of the complaint.
Luis Freites Arvilla’s account contained similar searches for ATM skimming and the specific ATM brand, along with visits to pages selling equipment used to unlock ATMs, CT Insider reported.
Investigators also found photos linked to the theft locations. CT Insider reported that Itanare’s Apple account contained a photo of him in front of an ATM in Branford at the same time surveillance footage showed him withdrawing money from the machine.
Cash Photos and Cell-Tower Data Added to the Trail


The complaint also described phone evidence around the thefts. CT Insider reported that FBI agents found screenshots suggesting the men may have been on a four-way WhatsApp call during a Milford ATM theft while surveillance footage showed them wearing earbuds.
Investigators used cell-tower data to place phones used by Alberto Freites Arvilla, Luis Freites Arvilla, and Itanare at theft scenes when surveillance video captured the men using the ATMs, according to CT Insider.
The group was linked to a gray Toyota Highlander with a stolen license plate registered to Flores, the outlet reported.
Fox News, citing the complaint, reported that investigators found photos in one suspect’s Apple account showing victimized ATMs, cash in a vehicle, cash in black plastic bags, and suspects counting money in New York after a Connecticut rest-stop theft.
A Software Patch Stopped One Attempt, Prosecutors Say
The Ansonia ATM did not dispense cash, according to prosecutors. DOJ said the attempted theft failed because the machine had a software patch that protected it against that type of attack.
The detail matches a broader FBI warning about malware-enabled ATM jackpotting. In a February 2026 alert, the FBI said criminals exploit physical and software vulnerabilities in ATMs, deploy malware, and force machines to dispense cash without a legitimate transaction.
The FBI said more than 1,900 ATM jackpotting incidents had been reported since 2020. More than 700 occurred in 2025 alone and caused more than $20 million in losses.
Customers Are Not Usually the Direct Target, but Tampering Still Matters
Jackpotting is different from a card-skimming scam. In a skimming case, a thief is usually trying to steal a customer’s card number and PIN. In a jackpotting case, the target is the machine itself.
ATM users should still walk away from a machine that appears open, loose, damaged, or surrounded by people taking turns at the same terminal. Customers should also watch for unusual panels, exposed wiring, loose card readers, or anyone spending time inside the ATM cabinet.
Businesses that operate ATMs should keep machines patched, inspect access points, review surveillance video when a machine is opened or powered down, and treat repeated withdrawals from the same ATM as a warning sign.
Anyone who sees people opening an ATM panel, changing clothes near a machine, or taking turns making withdrawals over several hours should leave the area and contact the business or law enforcement.
