Everest ransomware gang's dark web leak site hacked and taken offline

The notorious Everest ransomware gang has suffered an apparent breach of its own, with its dark web leak site defaced and subsequently taken offline by an unknown attacker over the weekend. The attacker, whose identity remains a mystery, replaced the site’s contents with a sarcastic message reading: “Don’t do crime CRIME IS BAD xoxo from Prague.”

Shortly after the defacement, the Everest leak site went offline entirely and now displays a standard "Onion site not found" error, suggesting it has been taken down or is no longer accessible via the Tor network.

While details surrounding the incident remain scarce, speculation has already begun within the cybersecurity community about the possible cause of the breach. Tammy Harper, Senior Threat Intelligence Researcher at threat intelligence firm Flare, pointed to a potential vulnerability in the site’s underlying infrastructure.

“It is worth mentioning that Everest was using a WordPress template for their blog. I would not be surprised if that was how this happened,” Harper noted, referring to a possible exploit in the platform that could have allowed unauthorized access.

Everest, active since 2020, has been a prominent player in the ransomware ecosystem. The gang began as a data theft and extortion group but later expanded to include ransomware in its attacks, encrypting victims’ systems to strengthen their leverage in ransom negotiations. They are also known to operate as initial access brokers, selling unauthorized access to breached corporate networks to other cybercriminal actors.

Over the past five years, Everest has listed over 230 victims on its now-defunct leak site. These listings were part of a double-extortion tactic, where victims were pressured to pay not only to decrypt their data but also to prevent the public release of sensitive information.

Among its recent victims is STIIIZY, a well-known California-based cannabis brand. In November 2024, Everest claimed responsibility for breaching STIIIZY’s systems. Two months later, the company disclosed that attackers had compromised its point-of-sale (POS) vendor, stealing customer data including purchase records and government-issued identification.

Everest has also drawn increasing attention from federal authorities. In August 2024, the U.S. Department of Health and Human Services issued a warning about the group’s escalating attacks on healthcare organizations—a sector frequently targeted by ransomware gangs due to the critical nature of its services and the high value of personal health data.