Hackers claim they stole Federal Reserve data, offer no evidence

In a post on its victim-shaming site, ransomware group LockBit claimed Sunday evening that it had stolen 33 terabytes of data belonging to the Federal Reserve, and the group threatened a Tuesday evening release time. The Fed has not commented on the matter.

Brett Callow, a threat analyst at Emsisoft, said it was “highly likely, in my opinion” that the group is lying. “I believe it’s far more likely that any data they do have relating to the [Fed] would have come from a third party,” he said.

Breaches of third-party IT services have become a common method for ransomware actors to steal data. In a prominent recent example, threat actor UNC5537 stole data from multiple organizations by breaching databases stored by cloud storage provider Snowflake. According to Google-owned cybersecurity firm Mandiant, it and Snowflake have notified “approximately 165 potentially exposed organizations” about the breaches. Among those companies are Santander Bank, QuoteWizard and Ticketmaster.

LockBit has no known involvement in the Snowflake data breaches.

Callow was not alone in his analysis that the group is likely lying. The anonymous owner of the social media account for vx-underground, an online collection of malware samples, said simply about LockBit’s claim, “Doubt.” It is possible that the group “ransomed something small in the Federal Reserve,” vx-underground said on X, “like maybe LockBit took down their coffee machine.”

Despite law enforcement actions against LockBit earlier this year, including hijacking the victim-shaming site where the group posts about the data it has stolen, the threat actor has launched new sites and continued claiming new victims.

On May 8, the day after the FBI publicly identified LockBit’s leader as Russian national Dmitry Khoroshev, the gang claimed responsibility for a breach against the city of Wichita, Kansas. On May 23, the group published data it claims it stole from London Drugs, a Canadian pharmacy chain.

LockBit has not made any specific claims about the nature of the stolen data. While the group typically posts samples of the data it has stolen, particularly in cases of high-profile cyberattacks, it has not posted any such samples of the supposedly stolen Fed data.

“No proof, so [probably] just blowing off steam,” said Dominic Alvieri, a cybersecurity analyst, on X.