Andi’s Writeup

The Everest ransomware gang’s dark web leak site was hacked and defaced on April 7, 2025, with attackers replacing the content with the message “Don’t do crime CRIME IS BAD xoxo from Prague”^[1]. The site subsequently went offline and displayed an “Onion site not found” error^[1:1].

Flare Senior Threat Intelligence Researcher Tammy Harper suggested the breach likely exploited vulnerabilities in the site’s WordPress template^[1:2]. The attack disrupted Everest’s operations, which had evolved since 2020 from data theft extortion to include ransomware deployment and selling network access to other cybercriminals^[2].

Prior to the breach, Everest had claimed over 230 victims on its leak site, including recent attacks on cannabis retailer STIIIZY and increased targeting of U.S. healthcare organizations in 2024^[1:3][3]. The group operated as both a ransomware outfit and initial access broker, selling compromised network access to other threat actors^[4].