Hackers equipped with black market software are targeting cash machines with dated software and substandard security and walking away with millions over the course of a series of attacks, according to a collaborative investigation by Motherboard and German newsroom Bayerischer Rundfunk. Though law enforcement agencies are tightlipped about the trend, it’s a sign that banks may be surprisingly vulnerable to cybercrime.

Other sources, granted anonymity by Motherboard, described the same trend: “There are attacks happening, but a lot of the time it’s not publicized,” said one.

Plug-And-Play

The German attacks and others throughout Europe seem to be carried out with Russian software called Cutlet Maker, which Motherboard reports can be bought for $1,000. In the U.S., a program called Ploutus. D is more popular.

Both programs can be installed into ATMs through a USB or other physical access point — though the hackers usually need to break into the ATM’s hardware to access it.