The Russia-linked Everest ransomware group listed two of America’s most prominent banks on its dark web leak site in April 2026, not by breaching the banks directly, but by compromising a shared third-party vendor. Here’s what happened, what data was taken, and what it means for third-party risk management.
On April 20th, 2026, the Everest ransomware gang listed both Frost Bank and Citizens Financial Group on its dark web extortion site, setting a six-day countdown before threatening to publicly release stolen customer data. Both banks have since confirmed the breach originated not from their own systems, but from an unauthorised intrusion at a shared third-party vendor.
The incident is one of the most high-profile ransomware-linked bank breaches of 2026, and a textbook example of supply chain vulnerability in the financial sector.
What the Everest ransomware gang claims to have stolen
Everest is running a classic double-extortion play: steal the data, threaten to publish it, and pressure the victim into paying before the deadline. The gang provided data samples on its leak site as proof of access. The severity differs significantly between the two banks.
Frost Bank
- ~250,000 client records claimed
- ($53B in assets, 200+ Texas branches)
Citizens Financial Group
- ~3.4M records claimed (SQL dump)
- ($227.9B in assets · 1,000+ branches in 14 states)
| Data type | Frost Bank | Citizens Bank | Identity theft risk |
| Social Security numbers (SSN) | Yes | Not found in samples | High |
| Tax identification numbers (TIN) | Yes | Not found in samples | High |
| Full names & home addresses | Yes | Yes | Medium |
| Account numbers | Not confirmed | Yes | Medium |
| Mortgage interest rates | Yes | No | Medium |
| Investment profits / income / taxable amounts | Yes | No | High |
| Internal document flags | No | Yes | Medium |
The Frost Bank dataset is the more dangerous of the two. The combination of SSNs, TINs, income data, and investment details gives threat actors everything they need for targeted identity theft and financial fraud. As Cybernews researchers noted, financial data of this nature also helps attackers prioritise targets, knowing who holds significant assets makes follow-on attacks more calculated and lucrative.
The Citizens Bank dataset is larger in volume but narrower in severity. Citizens itself confirmed that most of the exposed data was “masked test data,” with only a “very limited set” of real customer information involved. The absence of SSNs and TINs in the samples limits the immediate identity theft risk, though the exposed account numbers and addresses still make affected customers viable targets for phishing and social engineering.
“The mentioned tables do not seem to contain SSNs or TINs as opposed to Frost Bank, that’s why the impact here can be more limited to scams and user profiling in general and less likely of identity theft.”, Cybernews research team
How the breach happened: a third-party vendor at the centre
Neither bank was attacked directly. Citizens Bank confirmed “an incident involving data extracted from a third-party vendor” by a known threat actor, stating there is “no evidence of unauthorised access” to its own network. Frost Bank similarly confirmed it was notified by a third-party vendor of “unauthorised access to their systems” that may have included Frost customer data.
This is the defining feature of the attack, and its most important lesson. Everest did not need to defeat the security controls of a $227 billion bank. It needed to find a weaker point in the ecosystem around it. A shared vendor, processing data on behalf of both institutions, became that point
Timeline of the incident
Prior to April 20th, 2026
- Everest gained unauthorised access to a third-party vendor’s systems shared by both Frost Bank and Citizens Financial Group, exfiltrating customer records over an undisclosed period.
April 20th, 2026
- Everest lists both banks on its dark web leak site, publishing data samples as proof and issuing a six-day ultimatum to pay or face full public release of stolen records.
April 22nd, 2026
- Citizens Bank issues a public statement confirming the third-party vendor breach, noting that most exposed data was masked test data with a limited set of real customer information involved. Enhanced monitoring is put in place.
April 23rd, 2026
- Frost Bank confirms it was notified by a third-party vendor and has engaged external cybersecurity experts. Early findings indicate the incident “may be related to recent claims made by cybercriminals.”
Ongoing
- Investigations continue. Both banks confirm their own networks show no evidence of unauthorised access. Customers are being contacted directly with guidance.
Who is the Everest ransomware gang?
Everest is a Russia-linked ransomware-as-a-service (RaaS) operation active since at least 2020. It operates a double-extortion model: steal data, encrypt systems, and threaten to publish everything unless the ransom is paid. When direct extortion fails, the group has been known to pivot to initial access brokerage, selling network footholds to other threat actors.
Its track record is extensive. Coca-Cola’s Middle East division had employee passports and IDs dumped after refusing to pay. BMW was claimed as a target. Under Armour was breached, with 72.7 million customer emails later surfacing on illicit marketplaces. A breach at Collins Aerospace cascaded into threats against Dublin Airport and 1.5 million passenger records. Nissan endured months of escalating pressure before Everest published full negotiation logs and credential data.
Everest follows through on its threats. That track record is itself a pressure mechanism; every victim knows the gang has published before and will again.
Why third-party risk management cannot be an afterthought
The Everest attack on Frost Bank and Citizens Bank is a case study in what the security industry calls supply chain risk, the exposure that accumulates not from your own vulnerabilities, but from those of every vendor, processor, and technology partner you share data with. For financial institutions operating across hundreds of third-party relationships, the attack surface is vast.
- Continuous vendor monitoring and point-in-time assessments at onboarding are insufficient. Security posture changes; monitoring must be ongoing and tied to real-time threat intelligence, including dark web surveillance for vendor credential leaks.
- Contractual breach notification obligations: vendors must be contractually required to notify client institutions within a defined window (24–72 hours is the emerging standard) upon detecting any unauthorised access. Delayed notification extends the damage window.
- Data minimisation and masking: Citizens Bank’s statement that most exposed data was “masked test data” is a partial silver lining. Organisations that enforce data minimisation and pseudonymisation in vendor environments limit the blast radius when a breach does occur.
- Tiered vendor classification: Any vendor with access to SSNs, TINs, or financial records must be treated as a critical-tier relationship, subject to the same scrutiny as a direct internal system. Volume of records and sensitivity of data type should both drive classification.
- Ransomware-specific incident response planning: double-extortion attacks introduce a public relations and legal timeline that standard IR playbooks may not account for. Banks need pre-planned responses for the scenario where stolen data appears on a dark web leak site before internal detection has even completed.
Frequently asked questions
Were Citizens Bank or Frost Bank’s own systems hacked?
No. Both banks confirmed there is no evidence of unauthorised access to their own networks. The breach occurred at a third-party vendor that processes data on their behalf.
What data was exposed in the Frost Bank breach?
Everest claims approximately 250,000 Frost Bank client records containing SSNs, TINs, full names, home addresses, mortgage interest rates, investment profits, income, and taxable amounts , high-risk data for identity theft.
What data was exposed in the Citizens Bank breach?
Everest claims approximately 3.4 million records, but Citizens confirmed most was masked test data. Real customer data in the samples included names, addresses, account numbers, and internal document flags. No SSNs or TINs were found in the samples.
Who is responsible for the breach?
The Everest ransomware gang, a Russia-linked RaaS operation active since 2020, has claimed responsibility. The group is known for following through on data publication threats when ransoms are not paid.
What should affected customers do?
Monitor accounts for unusual activity, be alert to phishing attempts using personal details, consider a credit freeze if you are a Frost Bank customer (given the SSN exposure), and contact your bank through the number on the back of your card , not through links in any unsolicited communications.
Everest did not breach two of America’s largest banks by defeating their security teams. It found a vendor they both trusted. In financial services, third-party risk management is not a compliance exercise , it is the front line. The Frost Bank and Citizens Bank incident will not be the last of its kind, but it is one of the clearest illustrations yet of what the stakes look like when that front line is left unguarded.