Evolve Hack Crisis: Russia-Linked Cybergang Leaks Records On Millions
Major fintechs like Affirm, Mercury, Dave, Wise, Airwallex, and countless others impacted by massive data breach
Hey all, Jason here.
You know, I was hoping that with the Synapse bankruptcy settling into a slower phase, things would calm down… alas, here we are.
For those that missed Friday’s special edition of Fintech Business Weekly on the latest BaaS enforcement action against Thread Bank, you can find it here.
I’m also excited to announce I’ll be participating in Unit21’s Fraud Fighters event in a session with some of fintech’s MVPs: Jason Henrichs, of Alloy Labs Alliance, and Frank Rotman, of QED — more info below.
If today’s email is clipped in your client due to length, you can read the full version of web here.
If you enjoy reading this newsletter each Sunday and find value in it, please consider supporting me (and finhealth non-profits!) by signing up for a paid subscription. It wouldn’t be possible to do what I do without the support of readers like you!👀 Spotlight on Fintech
Sponsored content: Long gone are the days of ZIRP (Zero Interest-Rate Policy), driving growth at all costs for Fintechs. What does the current economic & regulatory climate mean for Fintechs in 2024 and beyond?
Join Jason Mikula & friends to discuss the current state of the industry:
🏦 Sponsor banks, Fintech partnerships, and third-party risk
📈 How to balance growth & risk that’s sustainable (and attractive to capital!)
⚖️ Practical advice and outlooks from Fintech industry insiders
And more!
You won’t want to miss this action-packed session. Save your spot today!
Evolve Hack Crisis: Russia-Linked Cybergang Leaks Records On Millions
The situation at Evolve Bank & Trust, which powers dozens of fintech programs with millions of end users, went from bad to worse last week.
The bank is still struggling to deal with the fallout from the bankruptcy and reconciliation issues linked to one-time banking-as-a-service partner Synapse, in which hundreds of thousands of end users lost access to their funds.
Now, the bank has been hit in what may be one of the widest-reaching public data breaches in US history.
Given the sheer amount of data leaked, reportedly as much as 33 terabytes, it will take some time to determine exactly how bad the situation is. For context, 33 terabytes is the equivalent of about 2.8 billion pages of text — though even the true size is uncertain, as the leak may contain duplicate or compressed files.
What Happened?
A Russia-linked ransomware group known as LockBit, which has conducted thousands of attacks in recent years, claimed on its site it had a cache of data from the US central bank, the Federal Reserve, that it would release if the ransom it demanded was not paid.
Last month, the Department of Justice charged an individual alleged to have helped develop the ransomware software. Attorney General Merrick Garland said at the time (emphasis added):
“Today we are going a step further, charging the individual who we allege developed and administered this malicious cyber scheme, which has targeted over 2,000 victims and stolen more than $100 million in ransomware payments. We will continue to work closely alongside our partners, across the U.S. government and around the world to disrupt cybercrime operations like LockBit and to find and hold accountable those responsible for them.”
But when the data was released early Wednesday morning, it became clear it wasn’t the Federal Reserve’s, but rather Evolve Bank & Trust’s. Evolve is arguably the most prolific partner bank supporting fintech programs and currently or previously has powered services or capabilities for firms that include (in alphabetical order):
Affirm
Airwallex
Alloy
Apto Payments
Asset Lab
B9
Bilt
BlockFi (bankrupt)
Bond (BaaS platform acquired by FIS)
Branch (powers instant payout and EWA programs for major business like Uber and Fetch and franchise operators of brands like Pizza Hut, Jimmy John’s, and Dunkin Donuts)
Brightside
Buffpay
Bushel Exchange
ByteFederal
Cadre
ChangeFi
Clearing
Dave
Deserve (credit card-as-a-service platform)
Earnin’
EquityZen
eusoh
Every
Extra
Finch Money
FloatMe
Flycoin
FTX (bankrupt)
Gerald
Grid
GigWage
GloriFi (shutdown)
GoChanged
GravyStack
Hightop
Juno
Kyshi
Lumanu
Melio
Mercury
Nomad
Paceline
Palolo
PayGears
Paystand
PrideCard
PrizePool
Profit Business Bank
Qoins
RBR
RelayFi
Rho
Rollfi
Sail
Save
Series Financial
Shopify (via Stripe Treasury)
Sila (payment processing platform)
Sila
Solid (banking-as-a-service platform)
SoLo Funds
Starlight
Status Money (shutdown)
Step
Stilt (acquired by JG Wentworth)
Stripe Treasury
Swype
Synapse (ongoing bankruptcy)
TabaPay
TeamUP
Unbanked
Wise (until late 2023)
YieldStreet
Yorbis
ZELF
Zirtue
The Federal Reserve Board, Evolve’s primary federal regulator, hit the bank with a wide-reaching enforcement action earlier this month — which specifically cited the bank’s inadequate information security practices and required it to develop a plan to remediate them. Specifically, the order stated:
Within 60 days of the effective date of this Order, the Bank shall submit a written plan acceptable to the Supervisors, including timetables, to correct the information technology and information security deficiencies identified in the Reports of Examination.
Yet Evolve’s lax security practices aren’t a surprise to industry insiders.
Last October, Fintech Business Weekly covered some of the reconciliation challenges between Evolve and Synapse — analysis that was informed in part by records leaked from Evolve due to a misconfigured Zendesk instance:
What’s In The Hack?
Given the sheer size of the files released, it’s too early to know exactly what has been compromised.
Info security professionals who have accessed and begun examining the data in order to take necessary steps to mitigate risk have suggested that Evolve’s Azure tenant was compromised, allowing the hackers to make copies of most or all of the bank’s virtual machines, including those running its website, SFTP, SQL server, as well as information from its core banking system, which is said to be Jack Henry’s jXchange — which potentially could include Evolve’s credentials for accessing Federal Reserve systems.
Sources who have been reviewing the files also indicate they contain ACH and wire files, settlement files, card primary account numbers (PANs), and card transaction records, and describe the situation as “as bad as it gets.”
Given the scope of fintech programs and payment processing services Evolve supported, the breach likely contains data on tens of millions of consumers and businesses.
Evolve is one of the largest ACH originators in the country, meaning even those who have never used Evolve or an Evolve-linked service may have data compromised in the breach, if they’ve ever sent a payment to or received a payment from an Evolve program.
An industry source who was examining the data for risk-mitigation purposes told Fintech Business Weekly, “I can't think of a data breach with this much PII and consumer and commercial financial data.... that then is publicly available.... ever.”
A single flat JSON file reviewed by Fintech Business Weekly included unencrypted/unhashed names, addresses, Social Security/Tax ID Number, dates of birth, account balances, email address, phone number, and account number on 155,586 accounts at the following services:
Yotta
Copper
YieldStreet
Juno
Dave
BrightSide
SoLo Funds
ChangEd
Mercury
MainVest
Fund That Flip
Nomad
Bitfinex
Rho
and numerous others
A user of Copper whose data appeared in the file, contacted by Fintech Business Weekly, confirmed their information in the file is accurate.
A review of the directory structure of the leaked data also suggests a large volume of Evolve’s internal emails are contained in the breach.
For example, the below directory appears to show over 20 gigabytes of Outlook data files for Dick Wittenberg, the bank’s Senior Vice President of Private Banking:
Cursory Examination Reveals Numerous Suspicious Accounts
A cursory analysis of account details reviewed by Fintech Business Weekly with support from information security researchers and AML experts gives ample cause for concern.
For instance, a review of phone numbers associated with Mercury accounts revealed 132 accounts with phone numbers in higher risk countries like Pakistan and the United Arab Emirates — and 11 accounts had associated phone numbers in Russia and Venezuela, which are sanctioned jurisdictions.
The account with a Venezuelan phone number is marked as “CLOSED,” though four of the accounts with Russian phone numbers had permissions of “SEND AND RECEIVE,” indicating that they were open as of the time the file was generated, which appears to be January 11, 2024:
In addition to phone numbers in higher-risk or sanctioned jurisdictions, many of the accounts also show P.O. Boxes or registered agents as their address — a likely violation of BSA/AML requirements, which call for a verifiable physical address as part of customer due diligence.
Businesses are generally required and must be able to demonstrate an actual physical presence in the United States, not just a company with a P.O. Box or registered agent address, in order to access banking services in the country.
Yet Mercury and Evolve do not appear to have consistently enforced those requirements.
For example, this Mercury client claims to operate an e-commerce business selling animal, pet, and beauty supplies in the United States and lists a physical address of 984 Portland Avenue in Rochester, New York — but has an IP address, phone number, and mailing address in Pakistan:
The business says it has zero employees, and a Google Streetview search of is purported physical place of business, 984 Portland Avenue, shows the location to be a shuttered convenience store:
Mercury’s lax approach to verifying the legitimacy of applicants may stem from its prioritization of growth over legal and regulatory compliance. The company has long emphasized speed and ease of opening new accounts and white-glove customer service, especially for high-balance startups and investors, as key differentiators vs. competitors in the space.
This March, The Information’s Michael Roddan reported that, “according to eight former Mercury employees and others who have worked with the company, Mercury often prioritized growth over a more conservative stance toward complying with banking laws, which would have slowed its onboarding of new customers.”
The company even permitted a customer to withdraw money from an ATM in Cuba — a comprehensively sanctioned jurisdiction — and then failed to file a suspicious activity report with OFAC, Roddan reported.
A representative for Mercury did not provide an on the record comment by the time of publication.
How Are Impacted Firms Responding?
Evolve confirmed the breach and released a brief statement on its website, saying in part (spacing adjusted):
Evolve is currently investigating a cybersecurity incident involving a known cybercriminal organization that appears to have illegally obtained and released on the dark web the data and personal information of some Evolve retail bank customers and financial technology partners’ customers (end users).
We take this matter extremely seriously and are working diligently to address the situation. Evolve has engaged the appropriate law enforcement authorities to aid in our investigation and response efforts. Based on what our investigation has found and what we know at this time, we are confident this incident has been contained and there is no ongoing threat.
While data breach notification requirements vary by state, most require firms to promptly notify impacted users, and those notifications started pouring out late last week, including from firms like Mercury, Bilt, Affirm, Wise, and numerous others:
Some executives of impacted firms, including Mercury and Affirm, took to X to attempt to reassure impacted users.
Yet many impacted firms haven’t even obtained copies of the leaked files, and doing so can be a time-consuming process, due to their size — let alone parsing the information in the files to assess the true scope of the risk to end users.
Even once the full impact is determined, it’s impossible for firms to mitigate all of the risk to impacted end users.
For example, users of Mercury, some of whom have balances exceeding $1 million in their accounts, may have had the name, address, phone, email, and more details associated with those accounts compromised — one information security consultant described it as the perfect “hunting list” for criminals:
Another information security researcher examining the data also pointed out the potential risk of blackmail, as names/accounts can be linked to specific transactions and merchants — including potentially sensitive or embarrassing ones.
What You Can Do To Protect Yourself
Unfortunately, data breaches are exceedingly common — last month, Ticketmaster suffered a breach that allegedly compromised data on up to 500 million users and, just last week, identity verification service AU10TIX, used by services like Uber, TikTok, and X, also suffered a data breach.
Evolve’s data breach is massive on its own, but combining data points from multiple breaches increases the level of risk, including for identity theft and fraud (which, as I can tell you, isn’t fun to deal with.)
Commonsense steps everyone can take, even if they haven’t received a data breach notification, include:
not re-using passwords across multiple sites
enable multi-factor authentication (preferably with an authenticator app and not SMS or email, if possible)
using passkey login where possible
freezing your credit file at the major credit bureaus
freezing your credit file at specialty bureaus, like ChexSystems and LexisNexis
adding a fraud alert to your credit files
using a service like CreditKarma to monitor for unexpected activity, like new accounts or inquiries (many credit cards offer this as well)
and, if you confirm you have been a victim of identity theft, filing a police report, as this may be needed to remediate the problem (more information here)
This story was updated to reflect that Russia and Venezuela are sanctioned but not comprehensively sanctioned jurisdictions. Fintech Business Weekly regrets the error.
Data Breaches: The Problem is PII.
Sponsored content: There have been 10k+ data breaches so far in 2024, impacting ~42 billion individual records. At this pace, there will be an 80% increase in data breaches year over year. It’s time to face facts; cybersecurity is failing.
We can no longer solve modern data security challenges by buying traditional cybersecurity tools that notify us when there’s a problem, tinker at the edges of a solution, and take reactive approaches to keeping consumer data safe. This is why there have been so many data breaches that continue to expose our personal data.
It’s time to think differently about data infrastructure end to end and solve the underlying data privacy and security problems at their core. Learn how to secure sensitive data with infrastructure at the heart of the solution:
Other Good Reads
Thread Bank Latest BaaS Enforcement Action (Fintech Business Weekly)
Supreme Court guts agency power in seismic Chevron ruling (Axios)
The Biggest Questions In BNPL (Fintech Takes)
The CFO Stack: Who wins, Ramp, Brex, Mercury? (Fintech Brainfood)
The FDIC's May Enforcement Actions (Bank Reg Blog)
About Fintech Business Weekly
Looking to work with me in any of the following areas? Email me.
Vendor, partner & investment opportunity advice and due diligence
Fintech advising & consulting
Sponsoring this newsletter
News tip or story suggestion — reach me on Signal at +1-316-512-1571