Defacement
Dark Web
Everest ransomware gang's leak site hacked, defaced with 'Crime is bad' taunt. C...
Over the weekend, the notorious Everest ransomware gang faced an unexpected humiliation when their dark web leak site was hacked and replaced with a sarcastic message: _“Don’t do crime CRIME IS BAD xoxo from Prague.”_ The site, critical to Everest’s double-extortion campaigns, now displays an _“Onion site not found”_ error, leaving cybersecurity experts and threat actors alike questioning how a criminal group fell victim to the very tactics it employs.
### **A Mocking Blow to Cybercriminals**
The defacement of Everest’s leak site marks a rare instance of cybercriminals being targeted by an unknown adversary. The mocking message, signed _“from Prague,” has been widely interpreted as a deliberate attempt to undermine Everest’s credibility. Security researchers, including Flare Senior Threat Intelligence Analyst Tammy Harper, noted the irony: “For a group that prides itself on breaching organizations, this is a significant blow to their reputation.”
The attack disrupted Everest’s operations, temporarily halting their ability to pressure victims by threatening data leaks—a cornerstone of their double-extortion strategy. While the gang quickly took the site offline, the incident has sparked debates about vulnerabilities even within criminal ecosystems.
### **WordPress Vulnerability Suspected**
Experts speculate that the breach may have stemmed from a WordPress vulnerability. Everest’s leak site reportedly used a WordPress template, which Harper highlighted as a potential weak point: “WordPress is a common target. If they failed to patch plugins or themes, it would’ve been an easy entry for attackers.”
WordPress, powering over 40% of websites globally, is frequently exploited due to outdated plugins or weak configurations. The incident underscores a paradoxical truth: even cybercriminals neglect basic cybersecurity hygiene. “This is a reminder that no one is immune to poor security practices,” Harper added.
### **From Data Theft to Ransomware Kingpin**
Since emerging in 2020, Everest has evolved from a data theft-focused group to a full-fledged ransomware operation. Their tactics now include encrypting victims’ systems and selling network access to other cybercriminals, positioning them as both ransomware deployers and initial access brokers.
**Key Milestones:**
- **2020:** Launched as a data extortion group.
- **2023:** Shifted to ransomware deployment, expanding their profit streams.
- **2024:** Claimed over 230 victims, including high-profile targets like STIIIZY, a California-based cannabis brand, and U.S. healthcare organizations.
In November 2024, Everest allegedly breached STIIIZY’s point-of-sale vendor, stealing customer data, including government IDs. The company confirmed the breach in January 2025, linking it to a third-party vendor compromise.
### **Healthcare Sector Under Fire**
The U.S. Department of Health and Human Services (HHS) issued a warning in August 2024 about Everest’s escalating attacks on healthcare providers. These organizations, already vulnerable due to sensitive data and critical services, face heightened risks of operational disruption and financial losses from ransom demands.
### **A Temporary Setback?**
While the leak site takedown disrupts Everest’s operations, experts believe the group will likely regroup. “Ransomware gangs are resilient. They’ll migrate to new infrastructure, but this incident might make victims think twice about paying ransoms,” said Harper.
However, the breach could embolden vigilantes or rival groups to target other cybercriminal platforms, complicating the dark web’s already volatile landscape.
### **Who Hacked Everest? Theories Abound**
The attacker’s identity remains shrouded in mystery. Possible scenarios include:
1. **Hacktivists:** Motivated by ideology, possibly targeting Everest’s healthcare attacks.
2. **Rival Groups:** Competing gangs seeking to destabilize Everest’s dominance.
3. **Law Enforcement:** Unlikely, as agencies typically seize infrastructure rather than deface it.
The “Prague” reference could be a red herring, but it has fueled speculation about Eastern European cybercrime rivalries.
