Cyber-Attack Timeline: Evolve Bank

Educational & easy-to consume visual guides to understanding attacks & enhancing resilience

Evolve Bank Timeline Evolve Bank Cyber Attack Summary (1)

Download Our Educational Cyber-Attack Timeline: Evolve Bank

Evolve Bank & Trust, a U.S.-based banking-as-a-service provider, suffered a significant cyber attack orchestrated by the LockBit ransomware group. The attackers infiltrated Evolve's systems, compromising the personal data of at least 7.6 million individuals. The breach also affected customers of Evolve's financial technology partners, such as Affirm, Mercury, and Wise, exposing sensitive information across multiple platforms.  
 
Interestingly, LockBit initially claimed to have breached the U.S. Federal Reserve, threatening to release 33 terabytes of sensitive banking information. However, upon releasing the data, it became evident that the compromised information originated from Evolve Bank & Trust, not the Federal Reserve. 
 
This misattribution highlighted the complexities and potential misunderstandings in cybercriminal activities. We've compiled all the twists and turns from this interesting, albeit highly damaging cyber attack, in our Evolve Bank Cyber Attack Timeline.  

 

Disclaimer: This document has been created with the sole purpose of encouraging discourse on the subject of cybersecurity and good security practices. Our intention is not to defame any company, person or legal entity. Every piece of information mentioned herein is based on reports and data freely available online. Cyber Management Alliance neither takes credit nor any responsibility for the accuracy of any source or information shared herein.

  • ** GDPR ** We wholeheartedly believe your and our rights to privacy and in the GDPR. The bottom of the page explains how we use your data. 
  • Align with the GDPR requirements.
  • Increase your Breach Readiness.
  • Reduce your time to detect and respond.

Complete the form below to receive a copy of the detailed Evolve Bank Attack timeline document and summary.

cyber-essentials-certification
NCSC Certified Training B&W 300px
CSC

FAQs on the Evolve Bank Cyber Attack

  • What happened in the Evolve Bank cyber attack?

    In mid-2024, Evolve Bank & Trust - a US financial services firm and banking-as-a-service provider to many fintechs - suffered a ransomware attack by the LockBit group. The attackers accessed and downloaded customer data from Evolve's databases and a file share, and encrypted some systems. Evolve refused to pay the ransom, so LockBit leaked the stolen data, initially and wrongly publishing it as a breach of the US Federal Reserve. The bank later confirmed that the personal information of more than 7.6 million people had been compromised, and the breach also affected customers of fintech partners including Wise, Affirm, Mercury and Bilt.

  • When did the Evolve Bank cyber attack take place?

    Evolve detected unusual system behaviour in late May 2024, which it first mistook for a hardware failure before identifying unauthorised activity; it saw no new unauthorised activity after 31 May 2024. Investigators found that data had been accessed during periods in February and May 2024. LockBit publicly leaked the stolen data around 23-25 June 2024, and on 8 July 2024 Evolve notified more than 7.6 million individuals and regulators that their data had been compromised.

  • Who was behind the Evolve Bank cyber attack?

    The attack was carried out by LockBit, a prolific Russia-linked ransomware-as-a-service operation that also operates under the handle 'LockBitSupp'. The group had recently been disrupted by an international law enforcement operation, and its administrator has since been publicly identified and sanctioned by US and UK authorities. Many researchers viewed LockBit's surrounding claims - including that it had breached the Federal Reserve - as an attempt to stay relevant after that crackdown. 

  • Did LockBit really hack the US Federal Reserve?

    No. LockBit claimed to have stolen 33 terabytes of data from the US Federal Reserve and posted it under a 'federalreserve.gov' heading on its leak site, but analysis quickly showed the data actually came from Evolve Bank & Trust, a comparatively small financial services company. Security researchers were sceptical of the Federal Reserve claim from the outset, and Evolve confirmed that LockBit had 'mistakenly attributed the source of the data to the Federal Reserve Bank'. The central bank itself was not breached. 

  • How did the attackers gain access to Evolve Bank's systems?

    According to Evolve, the attackers gained access when an employee inadvertently clicked on a malicious internet link. From there, the LockBit actors were able to reach the bank's databases and a file share, download customer information, and encrypt some data within the environment. This made the breach another example of how a single phishing or social-engineering click can open the door to a major ransomware incident. 

  • What data was stolen in the Evolve Bank breach?

    Evolve said the exposed information included names, Social Security numbers, Evolve account numbers, dates of birth and contact details for most of its personal, mortgage and small business banking customers, as well as customers of its Open Banking partners. A smaller number of people also had debit card numbers affected. The stolen files included ACH transaction records - financial account numbers, routing numbers and names for both payers and payees - and personal information relating to Evolve employees. The bank said there was no evidence that customer funds were accessed.

     

  • How many people were affected by the Evolve Bank data breach?

    Evolve Bank & Trust notified more than 7.6 million individuals that their personal information had been compromised. In its filing to the Maine Attorney General's Office, the bank put the figure at 7,640,112 people. Evolve offered affected US residents two years of free credit monitoring and identity protection, and dark web monitoring for international residents where available.

     

  • Which fintech companies were affected by the Evolve Bank breach?

    Because Evolve provides banking-as-a-service to many fintechs, several partners reported that their customers were caught up in the breach. Wise said data it had shared to provide USD account details between 2020 and 2023 may have been exposed; Affirm disclosed in an SEC filing that Affirm Card user information was likely compromised; and Mercury said leaked records included some account numbers, deposit balances, business owner names and emails. Bilt notified users as a precaution while saying its own platform was not directly affected. In each case, the partners stressed that their own systems were not breached.

  • Did Evolve Bank pay the ransom?

    No. Evolve stated that it refused to pay the ransom demanded by the threat actor, and that LockBit responded by leaking the data it had downloaded. Because the bank had backups in place, it reported limited data loss and limited impact on its operations despite the file-encrypting element of the attack.

  • Was the attack connected to the Federal Reserve's penalty against Evolve?

    No - these were separate matters that happened to surface around the same time. In June 2024, the US Federal Reserve issued an enforcement action against Evolve over deficiencies in its risk management, anti-money laundering and compliance practices identified in 2023 examinations, requiring it to address those issues before expanding certain activities. That regulatory action was unrelated to the LockBit ransomware attack, although the coinciding timing drew added attention to the bank.

  • How did Evolve Bank respond to the cyber attack?

    Evolve engaged external cybersecurity specialists, contained the attack and reported the incident to law enforcement. It reset passwords globally, rebuilt critical identity and access management components including Active Directory, further hardened its firewalls and security appliances, and deployed endpoint detection and response tools. It notified affected individuals and regulators - including the Maine Attorney General's Office - offered credit monitoring and identity protection, and issued new account numbers where warranted.

     

  • What can organisations learn from the Evolve Bank cyber attack?

    The Evolve incident shows how one employee clicking a malicious link can lead to a multi-million-record breach, and how banking-as-a-service relationships can spread the impact to many downstream fintechs and their customers. Key lessons include phishing-resistant authentication and user awareness training, strong segmentation and access controls around sensitive data, reliable and tested backups, robust third-party and supply-chain risk management, and a rehearsed incident response and breach-notification plan. Cyber Management Alliance helps organisations build these capabilities through training, cyber crisis tabletop exercises and incident response planning. 

We are industry experienced practitioners when it comes to cyber security training & cyber security consultancy services

1487652208_graduationcap

Training

We offer a host of courses including our NCSC Assured Training in Cyber Incident Planning and Response and our NCSC Assured Training in Building and Optimising Incident Response Playbooks.

1487652701_like

Virtual CISO Services

Hands On, full-support 'Security As a Service', specifically designed for organisations that require access to experienced cybersecurity, governance, risk and compliance professionals.

1487652784_calendar-3

Virtual Cyber Assistant

A unique, affordable, subscription-based, cybersecurity service for small to medium businesses, offering 280+ services in cybersecurity.

1487652846_microphone

Cyber Crisis Tabletop Exercises

Scenario-based, verbally-simulated tabletop attack exercises that test your organisation's ability to effectively respond to a cyber-attack.

1487652632_search

Ransomware Tabletop Exercise

Measure your organisation’s Ransomware Readiness with a unique blend of verbal and visual simulations and ransomware scenario walkthroughs.

1487652567_line-chart

Executive Cyber Awareness Sessions

Specially designed for executive management, CEOs and boards of directors, engaging them in a business context to help explain the threats and risks from cyber-attacks.

How we use your data:

  • The form above collects personal information so we may email you the requested information and pressing the "Get your free copy now"  button acts as informed consent for this processing purpose. Consequently we may be in touch to:

    • Update you when we host our ground-breaking Wisdom of Crowds events in your country or region.
    • Keep you posted on free resources and documents around Wisdom of Crowds events and its outputs. (For example, we tend to create insightful mind maps and we also are the creators of free to view Insights with Cyber Leaders Video Interviews. )
    • Ping you a note about upcoming FREE educational webinars on GDPR and Cybersecurity.
    • Inform you of any upcoming Data Breach Response or Cyber Incident Response training.  
  • Using the information from this page we will NOT sell or market to you any of our consultancy or trusted advisory services.  
  • In its purest interpretation, this act of us communicating with you is direct marketing and is processed on the basis of our legitimate interest and your engaging in our services. All marketing communication will include an unsubscribe button or other method of ending communication.

Download the Disney Data Breach detailed document and timeline today. 

download template