The Everest ransomware group has added Citizens Bank, a major American retail and commercial bank headquartered in Providence, Rhode Island, to its dark web leak site. The listing was surfaced by RedPacket Security on April 20, 2026, and is framed as a data compromise rather than a full encryption event. Notably, the claim carries a verification alert: recent reporting has flagged Everest postings as potentially including unverified or fabricated victim claims.

What Happened

On April 20, 2026, a post appeared on the Everest group's Tor-based leak blog naming Citizens Bank as a victim of a ransomware-related incident. The leak page does not include screenshots, file samples, or imagery to substantiate the breach, and no explicit ransom demand is visible in the accessible content. The posting characterizes the incident as a data exfiltration event rather than a systemwide encryption attack, consistent with Everest's shift toward extortion-only operations observed across recent campaigns.

Citizens Bank has not publicly confirmed the incident at the time of this writing, and the listing should be treated as unconfirmed pending corroboration. BankInfoSecurity and other industry outlets have recently warned that Everest's brand has been associated with fabricated or recycled victim claims, potentially as a scam operation trading on the group's name.

What Was Taken

The leak page does not disclose specifics regarding compromised data types, record volumes, or timeframes. Everest typically advertises stolen datasets including customer records, financial documents, internal communications, and employee data, but none of that detail has been surfaced in this posting. Given Citizens Bank's industry, any authentic breach would raise immediate concerns around customer PII, account numbers, transaction histories, loan and mortgage files, KYC documentation, and wealth management client records. Until proof-of-compromise samples are published, the scope remains speculative.

Why It Matters

Citizens Bank is one of the largest retail banks in the United States with a substantial commercial banking footprint, making any confirmed breach a systemically relevant event for the US financial sector. Even an unverified listing can move markets, trigger regulatory inquiries, and drive phishing waves targeting Citizens customers who fear their data is exposed. Financial services defenders should track the listing closely for proof-of-compromise updates while remaining skeptical, as Everest's recent pattern of disputed claims means unconfirmed posts can serve as pretexts for downstream social engineering regardless of their authenticity.

The Attack Technique

No initial access vector, dwell time, or tooling has been disclosed on the leak page. Everest historically has leveraged compromised credentials purchased from initial access brokers, exploitation of exposed remote services including RDP and VPN appliances, and abuse of valid accounts to move laterally within victim environments. The group has operated as both a ransomware-as-a-service affiliate network and as a pure data extortion crew, often using living-off-the-land binaries and legitimate administrative tooling to evade detection prior to exfiltration.

What Organizations Should Do

Sources: [EVEREST] - Ransomware Victim: Citizens Bank - RedPacket Security