What Happened
In February 2024, the LockBit ransomware group breached Evolve Bank & Trust, a Memphis-based financial institution that provides banking-as-a-service infrastructure for numerous fintech companies. The attackers maintained access for nearly four months before being discovered in late May 2024, ultimately exfiltrating sensitive data affecting 7.6 million individuals.
Evolve declined to pay the ransom. In retaliation, LockBit published the stolen data on its dark web leak site in June 2024, falsely claiming the data came from the Federal Reserve in an apparent attempt to cause maximum disruption.
How They Got In
An Evolve Bank employee clicked on a malicious link in a phishing email in February 2024, giving attackers initial access to the bank’s systems. The attackers established persistence and moved laterally through the network over the following months.
The extended dwell time of nearly four months allowed attackers to identify and exfiltrate significant volumes of sensitive data before Evolve detected the intrusion in late May 2024.
Data Exposed
The breach exposed customer data including names, Social Security numbers, dates of birth, addresses, and account information. Bank account numbers, routing numbers, and ACH transaction records were compromised. Personal identification documents and financial statements were also accessed.
The exposure was particularly concerning because Evolve’s role as a banking-as-a-service provider meant the compromised data included information from customers of multiple fintech partners.
Fintech Partner Impact
Evolve Bank provides the underlying banking infrastructure for numerous fintech companies, meaning the breach rippled through the broader fintech ecosystem. Affected partners included Affirm, the buy-now-pay-later provider. Mercury, the startup banking platform, confirmed customer data was exposed. Wise, the international money transfer service, notified affected customers. Mastercard’s services were also impacted. Other partners included Bilt Rewards, Branch, Dave, EarnIn, and SoLo Funds.
Each fintech partner had to assess the impact on their customers and issue their own breach notifications. The incident highlighted the concentrated risk when multiple companies depend on a single banking-as-a-service provider.
Settlement and Response
Evolve reached an $11.85 million settlement to resolve class action claims arising from the breach. The settlement included cash payments to affected individuals and commitments to enhance security practices.
The breach prompted increased regulatory scrutiny of banking-as-a-service providers and their security practices. The Federal Reserve and state regulators examined Evolve’s security controls and incident response.
LockBit Attribution
LockBit is one of the most prolific ransomware operations, responsible for hundreds of attacks across multiple sectors. Despite law enforcement disruption in February 2024 that seized LockBit infrastructure and identified operators, the group continued operations.
The attack on Evolve occurred shortly after the law enforcement action, demonstrating the resilience of ransomware-as-a-service operations. LockBit’s publication of the stolen data after Evolve refused to pay followed the group’s standard double extortion playbook.
Lessons Learned
The Evolve breach highlighted critical risks in the fintech ecosystem. Banking-as-a-service concentration creates systemic risk when single points of failure affect multiple downstream companies. Extended dwell times enable massive data exfiltration, emphasizing the importance of detection capabilities alongside prevention. Fintech companies should assess the security of their banking partners as part of their own risk management. Phishing remains a primary initial access vector, requiring continuous employee training and email security investment.
Organizations partnering with banking-as-a-service providers should conduct security due diligence and have contingency plans for partner breaches.