-
The Everest ransomware gang gave Frost Bank and Citizens Bank six days to respond before publicly releasing allegedly stolen customer data, with samples showing Social Security numbers for Frost customers.
-
Both banks confirmed a third-party vendor breach but stated their internal networks remain secure, with Citizens noting most compromised data was masked test information.
-
Security researchers believe a shared vendor handling statement printing and tax document fulfillment likely exposed both banks, though the hackers’ claims of millions of records remain unverified.
The Everest ransomware group has placed two prominent American financial institutions on its dark web extortion site. Hackers say they took private data from customers who bank with Frost Bank, based in Texas and Citizens Financial Group which have branches in the northeastern region of the United States. They’re giving both victim banks only six days to respond to their demands before they will leak the data themselves.
Everest published samples of the alleged data on April 20, 2026. The leaked previews show that the gang may hold records belonging to approximately 250,000 Frost Bank clients. For Citizens Bank, the hackers claim possession of around 3.4 million records. Security researchers cannot independently verify these numbers at this stage.
This type of deadline pressure represents a standard tactic among ransomware operators. The hackers hope to force victims into negotiations by creating time-sensitive fear. If the banks refuse to pay, the gang threatens to dump everything online for anyone to access.
Frost Bank Data Samples Reveal Highly Sensitive Customer Information
The data previews from Frost Bank contain some of the most dangerous types of personal information. The visible samples include Social Security numbers, Tax Identification numbers, full names, home addresses, mortgage interest rates, investment profit gains, income figures, and taxable amounts.
The exposure of banking data is a worldwide issue, in a separate incident, a threat group leaked Israeli bank card data on Telegram, showing that financial institutions globally are under attack and customer data is being distributed through various underground channels, from dark web extortion sites to encrypted messaging apps.
Security experts warn that documents revealing a person’s financial status help threat actors decide which targets to attack first. Criminals can utilize this type of information to form profiles for identity theft and financial fraud. The gang has redacted certain parts of the sample and therefore the complete dataset can contain more sensitive data.
Frost Bank confirmed the incident to Cybernews on April 23. A spokesperson stated that a third-party vendor notified the bank about unauthorized access to their systems that may have included Frost customer data.
The bank has engaged external cybersecurity experts to assist with the investigation. Early findings suggest the incident relates to the recent claims made by the cybercriminals.
The bank stated that customers can safely use all Frost services. Officials have found no evidence that anyone gained unauthorized access to the Frost network itself.
Citizens Bank Reports Limited Customer Impact from Vendor Breach
The Citizens Bank data tells a somewhat different story. The stolen samples appear to contain a SQL database dump with full names, home addresses, account numbers, and internal document flags from six different tables. Unlike Frost Bank, the Citizens data samples do not appear to include Social Security numbers or Tax Identification numbers.
Our researchers noted that the Citizens’ breach may lead to more limited consequences. Without Social Security numbers in the exposed data, victims face lower risks of direct identity theft – however, criminals could still use the information for scams and user profiling.
Citizens Bank confirmed to Cybernews that a known threat actor extracted data from a third-party vendor. A bank spokesperson stated that most of the compromised material consisted of masked test data. Only a very limited set of real customer information was involved in the incident.
The spokesperson added that the bank has found no evidence of unauthorized access to the Citizens network. Operations continue running normally. Citizens have put enhanced monitoring in place and have started contacting affected customers with additional guidance.
ZeroFox, a cybersecurity intelligence firm, analyzed the situation and told American Banker that the same third-party vendor likely served both banks. Adam Darrah, Vice President of Intelligence at ZeroFox, stated that the affected vendor appears to handle statement printing for Citizens and tax document fulfillment for Frost. The samples do not suggest that Everest reached internal systems at either bank.
Everest Ransomware Group has a History of Major Corporate Attacks
The Everest group has continued to engage in cybercrimes since 2020, they are Russian-based and utilize a double extortion model, stealing data, encrypting systems, threatening to release all of the data unless they receive the demanded ransom payment.
The gang doesn’t only utilize the standard ransomware method of extortion. When direct ransom solicitation fails, the Everest group sells network access to other threat actor groups. This creates additional problems for victims who may face multiple attacks from different criminals.
Over the course of a year, Everest has amassed more than one hundred victims across virtually every industry sector. The group previously targeted Coca-Cola’s Middle East division, BMW, Under Armour, Collins Aerospace, and Iberia Airlines. A case of an attack on Collins Aerospace resulted in potentially serious implications for Dublin Airport, including the loss of 1.5 million passenger records.
The CISA continues to monitor ransomware attacks against critical sectors such as the financial sector. In order to avoid data breaches due to vendor breaches, CISA has recommended that organizations implement a strong third-party risk management program.
