Two major US banks targeted — Citizens Bank and Frost Bank confirms breach
Two major US banks have appeared on a ransomware leak site, with hackers dangling sensitive financial data. The attackers released samples of sensitive financial data, setting a six-day ultimatum before public release.
-
The Everest ransomware gang listed Frost Bank and Citizens Financial Group on its dark web leak site on April 20th, setting a six-day deadline before publicly releasing stolen data.
-
Everest claims to hold ~250,000 client records from Frost Bank containing Social Security numbers, tax IDs, full names, mortgage interest rates, investment profits, income data, taxable amounts, and home addresses. This creates a high risk of identity theft and financial fraud.
-
The gang claims ~3.4 million Citizens Bank's records from a SQL database dump, but the samples only contain full names, home addresses, account numbers, and internal document flags. No SSNs or TINs were found, limiting the damage mostly to scams and user profiling.
-
Both banks confirmed the breach originated from a third-party vendor, not from direct unauthorized access to their own networks.
-
Citizens Bank noted that most of the exposed data was "masked test data" with only a "very limited set" of real customer info involved.
-
Frost Bank has engaged external cybersecurity experts to investigate and confirmed the incident "may be related to recent claims made by cybercriminals."
The Everest ransomware gang has placed two of America's most prominent financial institutions on its dark web extortion site.
On April 20th, Texas-based Frost Bank and Northeast heavyweight Citizens Financial Group both surfaced on Everest's dark web leak site.
The clock is ticking, with the attackers giving both banks six days before publicly releasing the stolen sensitive data.
This is a very common extortion tactic used by ransomware gangs to pressure victims into negotiating and eventually paying the ransom.
How many bank customers were exposed to the data breach?
Everest claims to hold records for approximately 250,000 Frost Bank clients. The number could not be independently verified. The data visible in the provided samples suggests that the dataset might expose:
- Social Security numbers (SSN)
- Tax Identification numbers (TIN)
- Full names
- Interest rate on a mortgage
- Profit gains from investments
- Income
- Taxable amounts
- Home addresses
However, the gang redacted portions of the preview samples posted on its leak site, so there may be more personal data in the dataset.
"Besides the risk of identity theft and financial fraud, these documents often reveal people's financial status, which can be useful to threat actors when it comes to deciding whom to attack first and to determine their tactics," the Cybernews research team noted.
The Citizens Bank data tells a different story – broader in volume but narrower in severity. The gang claims approximately 3.4 million records, a claim that cannot be proven at this point either.
The Everest listing appears to contain a SQL database dump, with sample entries and screenshots from six internal tables revealing:
- Full names
- Home addresses
- Account numbers
- Internal document flags
According to our researchers, there are no SSNs or TINs in these data samples.
"The mentioned tables do not seem to contain SSNs or TINs as opposed to Frost Bank, that's why the impact here can be more limited to scams and user profiling in general and less likely of identity theft," our team assessed.
Citizens Bank and Frost Bank confirms breach at third-party vendor
Citizens Bank has confirmed to Cybernews an "incident involving data extracted from a third‑party vendor" by a known threat actor.
"For Citizens, most of this was masked test data, although a very limited set of customer information was involved," the bank's spokesperson said, adding that there is "no evidence" of unauthorized access to the Citizens network and operations continue as normal.
"We have put enhanced monitoring in place and are in the process of reaching out to impacted customers with additional information and guidance. Customers can also contact Citizens through trusted channels, such as the number on the back of their card or on their statement," the spokesperson highlighted.
"Our security teams are always on, working around the clock to help safeguard customer accounts and information, and watching for unusual activity," the Citizen Bank representative added.
Frost Bank spokesperson stated that they were recently notified by a third-party vendor of an "unauthorized access to their systems" that may have included Frost customer data.
"We have engaged external cybersecurity experts to assist in our investigation, and early findings indicate that the incident may be related to recent claims made by cybercriminals," the spokesperson highlighted.
According to the bank, at this time, there is "no evidence of unauthorized access to the Frost network".
"Customers can be reassured they’re able to safely use all Frost services," the Frost Bank's spokesperson added.
Everest victims: major American banks
Everest has gone for the big boys this time. Citizens Financial Group is one of the oldest and largest financial institutions in the United States, reporting $227.9 billion in assets as of March 2026.
The bank operates over 1,000 branches across 14 states, stretching from New England through the Mid-Atlantic and into the Midwest.
Frost Bank, operating under parent company Cullen/Frost Bankers, holds $53 billion in assets and over $67 billion in trust and investment management assets, ranking among the 50 largest US banks.
It operates more than 200 financial centers across Texas's largest markets – San Antonio, Houston, Dallas-Fort Worth, and Austin.
Who is the Everest hacker group?
The Everest ransomware-as-a-service (RaaS) operation has been active since at least 2020, running a double-extortion model.
This means the Russia-linked attackers steal data, encrypt systems, and threaten to publish everything if the victim doesn't pay.
Have thoughts about this topic? Others do, too. Join them in the discussion.
But the extortion model doesn’t stop there. What began as a conventional ransomware crew has branched into initial access brokerage – selling network footholds to other threat actors when direct extortion doesn't pay.
Throughout the course of a year, the gang amassed well over 100 victims across virtually every sector. Coca-Cola's Middle East division had employee passports and IDs dumped online after the company refused to pay.
BMW became a trophy claim in an emerging pattern against luxury brands. Under Armor was hit, and months later, 72.7 million customer emails surfaced on an illicit marketplace – proof that the gang follows through on its threats.
A breach at Collins Aerospace cascaded into a direct threat to Dublin Airport and 1.5 million passenger records, while Iberia Airlines faced a $6 million ransom demand, and Atlas Air's breach exposed sensitive Boeing technical data.
Nissan endured months of escalating pressure before the gang published its full negotiation logs, credential details, and a desperate ultimatum threatening 2.5 million people's data.
Updated on April 22th [10:50 a.m. GMT+2] with a statement from Citizens Bank.
Updated on April 23th [10:50 a.m. GMT+2] with a statement from Frost Bank.
Unlock more exclusive Cybernews content on YouTube.
