Money Mart ransomware attack exposes consumer data

check cashing, instant loan, chain — Image by teshail | Shutterstock

Money Mart, the check-cashing and instant loan giant, has been claimed by the Everest ransomware group. The breach allegedly exposed a treasure trove of sensitive information, including customer transaction records, credit card details, and employees' personal information.

Everest claims to have stolen 80,000+ internal Money Mart files, including sensitive customer, financial, and employee data from both the US and Canada.
Money Mart has until November 30th before the gang threatens to publish its data across dark web and hacker marketplaces.
The Russian-linked hackers have claimed more than 250 victims since 2023, continuing their rapid rise in the ransomware underworld.

Key Takeaways by nexos.ai, reviewed by Cybernews staff.

The North American “same-day” financial services company appeared on the ransomware gang’s dark leak site on Tuesday, along with a lengthy entry post that also provided samples of the alleged stolen data.

Money Mart has approximately 400 locations throughout Canada and the United States, offering services to individuals and small businesses, including payday loans, home loans, check cashing, account deposits, MoneyGram international money transfer services, money orders, currency exchange, and prepaid debit cards.

The ransomware operators claim to have exfiltrated at least 80,000 internal files from a “National Money Mart Company Database,” giving the company roughly five days to make contact.

Everest ransomware attack - Money Mart leak post — Everest leak site. Image by Cybernews.

“Company representative should follow the instructions to contact us before time runs out,” the gang wrote, giving the ‘alternative financial solutions’ chain roughly five days (November 30th) before it likely releases the stolen cache on the dark web.

Everest, as is typical, provides a recorded message and Qtox ID for Money Mart to do so.

Under the countdown clock, the group also threatens, “After the full publication, all the data was duplicated across various hacker forums and leak database sites.”

Everest ransomware attack - Money Mart countdown — Everest leak site. Image by Cybernews.

A subsidiary of the Momentum Financial Services Group in Canada, Money Mart was founded in 1979 and is headquartered in Malvern, Pennsylvania, with annual revenue listed at $24 million.

Cybernews has reached out to Money Mart and is awaiting a response at the time of this report.

Earlier on Tuesday, Spain’s largest coalition loyalty program, the Travel Club, was also posted on the Everest leak site.

Operated by Air Miles España, the extortionists are said to have compromised millions of customer records, such as names, emails, account IDs, demographics, activity data, and marketing information.

Plethora of personal data exposed

Everest claims to possess personal data from both the USA and Canada, breaking down the database into seven categories, “and much more,” including:

Personal Identification / Contact Information / Identity Documents
Financial Data
Client / System Profiles
Administrative Codes & Status Parameters
Employment History
Timestamps / Interaction History
Employee list

Cybernews, which has viewed the samples, can confirm that each category appears to contain an abundance of Personally Identifiable Information (PII), including names, addresses, dates of birth, email addresses, and driver’s license numbers.

Financial data posted by the group includes credit card details, which expose ten of the 16-digit credit card account numbers and the account credit limit, plus financial transactions, purchase orders, and billing invoices from third-party suppliers.

The transaction data, presumably for check cashing, includes dates, amounts, transfer account numbers (again, showing at least 10 digits), approval codes, merchant details, and employee ID numbers.

Money Mart employees are also facing a significant leak of personal data, which, in addition to the PII listed above, includes worker ID numbers, work email addresses, start/end/termination dates, employment history, and assignment status.

Everest's steady stream of attacks

The Everest ransomware group is becoming a growing force among the ransomware underworld.

Cybernews’ Ransomlooker monitoring tool shows Everest with over 250 victims posted to its leak list since 2023, claiming more than 100 victims in the past twelve months.

Everest group Nov 2025 — The Everest ransomware group has claimed 109 victims in the past 12 months. Snapshot taken on the Cybernews Ransomlooker tool, November 17, 2025. Image by Cybernews.

Earlier this month, the gang targeted Brazilian petroleum giant Petrobras and Under Armour, the global activewear and footwear brand.

And In October, it claimed responsibility for an attack on Collins Aerospace and its MUSE check-in software, used at airports across Europe, causing travel chaos for several days.

Besides the luxury automaker BMW, other notables targeting the Middle East, including Coca-Cola’s Middle East division, the Abu Dhabi Department of Culture and Tourism, and the Jordan Kuwait Bank (JKB).

Don't miss our latest stories on Google News

The gang also hit US-based Pacific HealthWorks, the North American gourmet cookie shop chain Crumbl, email marketing behemoth Mailchimp, and the US hotel chain Radisson Country Inn and Suites.

The financially motivated cartel – believed to be Russia-linked – was first spotted in 2021 and is said to be connected to the BlackByte ransomware group.

It made headlines after the October 2022 attack on the American telecommunications behemoth AT&T.

Unlock more exclusive Cybernews content on YouTube.