Jun 26, 2024

Evolve Bank & Trust Confirms Its Data Was Stolen in Cyber Attack

Teresa Xie and Charles Gorrivan, Bloomberg News

A participant works on their laptop during the Locked Shields exercise in Tallinn, Estonia, on Tuesday, April 23, 2024. The NATO Cooperative Cyber Defense Center of Excellence said the annual event is intended to boost the skills of cybersecurity experts defending national IT systems and critical infrastructure under real-time attacks. Photographer: Peter Kollanyi/Bloomberg , Bloomberg

(Bloomberg) -- Evolve Bank & Trust confirmed it was the victim of a cyber attack and that customer data had been posted on the dark web, less than two weeks after the Arkansas-based lender was ordered by regulators to improve its risk management and get approval before entering into any new partnerships.

The Russian-linked hacker group LockBit 3.0 on Tuesday posted data taken from Evolve’s systems after claiming earlier in the week that it had hacked the US Federal Reserve, giving US officials until Tuesday afternoon to pay an undisclosed amount in exchange for the information purportedly stolen from the central bank’s systems. So far, it does not appear that any sensitive data from the Fed has been released by the group.

A spokesperson for Evolve said in an email that the incident has been contained and the company is currently investigating the situation with “appropriate law enforcement authorities.” The bank also said it will offer all affected customers complimentary credit monitoring with identity theft protection services. It’s still unclear exactly what information was included in the data, which Evolve said was stolen by a “known cybercriminal organization” without naming LockBit.

The disclosure of the hack follows a June 14 wide-ranging cease-and-desist order issued by the Federal Reserve and the Arkansas State Bank Department to Evolve Bank & Trust and its parent, Evolve Bancorp Inc., after examiners discovered shortcomings in the bank’s oversight of partnerships with financial-technology companies and anti-money laundering requirements. Following the order, a spokesperson for the bank said it had “made significant investments in technology and personnel” to strengthen oversight and “enhance the risk framework,” Bloomberg Law reported.

Evolve is best known for its partnerships with fintechs, which rely on traditional institutions to offer bank-like services to customers and recently have fallen under closer scrutiny by regulators. West Memphis, Arkansas-based Evolve works with popular fintechs including Affirm Holdings Inc., Marqeta Inc., Dave Inc. and others.

Evolve was one of four banks that teamed up with Synapse Financial Technologies Inc., the Andreessen Horowitz-backed fintech that filed for bankruptcy protection in April. Synapse, a “banking as a service” provider that worked as a middleman between banks and fintechs, partnered with approximately 100 fintechs covering around 10 million customers, according to bankruptcy court filings.

Jelena McWilliams, the former Federal Deposit Insurance Corp. chairman serving as the bankruptcy trustee, estimated that the shortfall in end-user funds ranges between $65 million and $95 million, according to a June 13 status report filed with the bankruptcy court.

Lockbit 3.0, the hacking group behind the Evolve leak, functions as a ransomware-as-a-service gang, in which members lease their technical tools to affiliates and demand a cut of any extortion payments.

The group posted the Evolve information on a darkweb forum tied to Lockbit, a prolific ransomware gang that has received millions of dollars in payments following attacks on thousands of victims, including the Industrial & Commercial Bank of China Ltd., Boeing Co and the UK’s Royal Mail. By 2022, the group had rebranded itself as LockBit 3.0.

In February, law enforcement agencies from 11 countries – led by the UK’s National Crime Agency and aided by the US Federal Bureau of Investigations – seized LockBit’s technical tools in an operation that targeted its malware deployment system. But the group’s hacking tools have remained widely used since they were leaked to the public in 2022, and members of the group are believed to remain active.

The compromised information included tax identification numbers, as well as wires and settlements, linked to people who have directly and indirectly worked with Evolve, according to Dirce E. Hernandez, a cybersecurity expert with experience in insurance and financial services who has spoken to analysts familiar with the data.

“From an end user and customer perspective, it’s about as bad as it gets,” Hernandez said. Criminals could use leaked social security and permanent account numbers to steal people’s identities and extort them, he added.

Bloomberg couldn’t immediately verify the authenticity of the leaked information after viewing it on LockBit 3.0’s website.

The release of the Evolve data on the LockBit website suggests some of the group’s core actors could have been behind the hack, said Brett Callow, a threat researcher at the cybersecurity firm Emsisoft. Still, the lack of a release of genuine Fed data suggests that the group is “dead in the water,” Callow added.

“The Fed claim was really a desperate play to stay relevant,” he said.

--With assistance from Paige Smith.

(Adds information on the compromised information, beginning in the 11th paragraph.)