Euro Security Watch with Mathew J. Schwartz

Fraud Management & Cybercrime , Ransomware

Bogus: LockBit's Claimed Federal Reserve Ransomware Hit

Actual Victim: Evolve Bank, Now Dealing With Open Banking Enforcement Action by Fed
Bogus: LockBit's Claimed Federal Reserve Ransomware Hit
The LockBit ransomware-as-a-service gang did not hack the U.S. Federal Reserve Bank. (Image: Shutterstock)

More reasons to beware breathless reporting about a ransomware group's latest supposed victim: LockBit's claim to have breached the U.S. Federal Reserve Bank.

The Fed, based in Washington, is America's central bank. It works with 12 regional Fed banks. If any aspect of that system fell victim to ransomware-wielding groups - or had data exfiltrated, it could pose a major risk to the country's financial sector, or at least perceptions of its security.

Enter LockBit, which claimed Sunday to have stolen 33 terabytes of data from the Fed. Using a now well-worn extortion tactic, LockBit activated a countdown timer on its blog and threatened to release the data unless the victim paid up promptly - in this case, within 48 hours.

Said deadline duly passed and as with so many aspects of ransomware, the claim by LockBit turned out to be bogus, at least as concerns the victim's identity.

On Tuesday, LockBit's data leak site instead revealed a supposed leak of Evolve Bank & Trust, which is part of West Memphis, Arkansas-based Evolve Bancorp.

Evolve Bancorp operates both a traditional bank and open banking services, which it provides to a number of fintech companies via what's often referred to as banking as a service.

On Wednesday, Evolve said in a data breach notification that it is investigating an apparent breach as well as a leak of customer data.

"It appears these bad actors have released illegally obtained data, on the dark web," it said. "Evolve has engaged the appropriate law enforcement authorities to aid in our investigation and response efforts. This incident has been contained, and there is no ongoing threat."

Evolve said exposed information could include each customer's full name, account number, contact details, birthdate and Social Security number. The bank said it will contact affected customers, offer prepaid credit monitoring services and, if necessary, issue replacement account numbers.

How did a ransomware group, not for the first time, try to extort the wrong victim? Experts say the fact that the group is largely comprised of Russian-speaking operators and affiliates is probably part of the explanation.

One skeptic of LockBit's claims to have hit the Fed was the malware research group vx-underground. "We suspected the affiliate (who probably doesn't know English) saw a document that said 'United States Federal Reserve' and thought it was that," the group said.

Whether or not Evolve is truly one of LockBit's latest victims remains unclear. If it is, that could add to the problems the bank is already facing. Notably, the Fed is involved.

On June 14, the Board of Governors of the Federal Reserve System, working with the Arkansas State Bank Department, issued a cease and desist order against Evolve Bancorp and Evolve Bank & Trust, citing shortcomings in the bank's "anti-money laundering, risk management and consumer compliance programs."

The enforcement action centers on the bank's partnerships, after a 2023 examination by regulators and an early 2024 follow-up "found that Evolve engaged in unsafe and unsound banking practices by failing to have in place an effective risk management framework for those partnerships" and also lacked robust controls for complying with anti-money laundering and consumer protection laws, the Fed said.

The order requires Evolve to implement a host of improvements, including stronger board of directors oversight for the bank's compliance with the Bank Secrecy Act and sanctions enforced by the Department of Treasury's Office of Foreign Assets Control, as well as better oversight of the bank's existing partnerships.

The order prohibits Evolve from establishing any new open banking partnerships or offering any new products and services to existing partners without prior approval of the board.

The Fed said that its enforcement action "is independent of the bankruptcy proceedings regarding Synapse Financial Technologies." Synapse, which acted as a middleman between banking apps and FDIC-insured banks, collapsed in April over a dispute with Evolve regarding customer balances, TechCrunch reported.

After potential buyer TabaPay backed out, Synapse filed for bankruptcy on April 22. Since then, more than 100,000 users of the banking app Yotta have lost access to their deposits, CNBC reported. Those deposits were not protected by the Federal Deposit Insurance Corp., and Yotta wasn't directly regulated by the Fed.



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing paymentsecurity.io, you agree to our use of cookies.