Thought Leadership
The Everest ransomware group is claiming an attack on the email marketing service Mailchimp. But how much damage has actually been done?
The group made the announcement yesterday on its dark web leak page and claims to have captured a 767 MB database containing 943,536 rows of data. According to Everest, the data leak includes “internal company documents” as well as “a wide variety of personal documents and customer information”.
Structured business data instead of sensitive internal data
However, as Hackread notes, a look at the sample data published by Everest shows a slightly different picture. The leaked data set contains structured business information and non-sensitive internal Mailchimp data. The datasets appear to contain domain names, company emails, phone numbers, city and country details, GDPR region labels, social media links and information about hosting providers.
Many entries also list the technology stacks used by the companies, including Shopify, WordPress, Amazon, Google Cloud and PayPal. The data is organized in spreadsheet-like rows, suggesting that it may have come from a marketing or CRM export rather than Mailchimp’s internal systems.
Mailchimp told it-daily.net: “The security of our products and our customers’ data are among our highest priorities. We are aware of the claims regarding Intuit Mailchimp’s systems. Based on our investigation at this time we have no evidence to suggest any security incidents or exfiltration of data from our systems.”
Everest ransomware: Obscure actor with double-extortion model
The Everest ransomware group is a Russian-speaking cybercrime group that has been active since the end of 2020 and specializes in extortion through encryption and data theft. Using so-called “double-extortion” tactics, data is first encrypted in target companies and then the sensitive information is threatened with leakage if no ransom is paid. Among the most prominent victims were the Brazilian government and NASA
In the course of its development, the group has changed: Since around the end of 2022, Everest has increasingly acted as an Initial Access Broker (IAB), i.e. it sells network access to compromised companies instead of carrying out encryption itself. Most recently, the group acted primarily as a data trader, publishing hacked data from organizations such as Coca-Cola, the NASA environment and, most recently (July 2025), the Saudi Arabian Rezayat Group
