The LockBit ransomware gang claimed it had breached the U.S. Federal Reserve, but it ultimately leaked data belonging to a single bank.

On June 23, LockBit listed the U.S. Federal Reserve on its data leak site and claimed to have obtained roughly 33 TB of stolen data. The gang also published a countdown on its leak site with a deadline of June 25, at which point LockBit would publish the stolen data. When the timer ran out, researchers analyzed the data that was published and found that it belonged to a single organization: Evolve Bank & Trust, a banking company based in Arkansas.

In a statement shared with TechTarget Editorial, Evolve confirmed that it was investigating a cybersecurity incident, but did not specifically name LockBit. However, it did confirm that stolen data was published on the dark web, effectively confirming LockBit’s claims. The full statement read as follows:

Evolve is currently investigating a cybersecurity incident involving a known cybercriminal organization. It appears these bad actors have released illegally obtained data, on the dark web. We take this matter extremely seriously and are working tirelessly to address the situation. Evolve has engaged the appropriate law enforcement authorities to aid in our investigation and response efforts. This incident has been contained, and there is no ongoing threat.

In response to this event, we will offer all impacted customers (end users) complimentary credit monitoring with identity theft protection services. Those affected will be contacted directly with instructions on how to enroll in these protective measures. Additionally, impacted customers will receive new account numbers if warranted. Updates and further information will be posted on our website as they become available.

LockBit is a notorious and prolific ransomware-as-a-service gang, one that has had a tumultuous recent history. February saw “Operation Cronos,” an international law enforcement operation led by the U.K.’s National Crime Agency that involved two arrests as well as the seizure of gang infrastructure.

Law enforcement also obtained approximately 1,000 decryption keys and commandeered LockBit’s prior data leak site domains to publish press releases, decryption keys, back-end leaks, the identity of LockBit’s administrator and more. It is in large part due to these efforts that LockBit’s comeback has been unsuccessful, according to cybersecurity experts.

In recent weeks following Operation Cronos, LockBit has made exaggerated or unverified claims about attacking high-profile targets. While ransomware gangs and other cybercriminals often overstate or outright lie about their exploits, LockBit’s initial claim about breaching the U.S. Federal Reserve received significant attention from media outlets and infosec professionals.

Asked why he thought LockBit would lie in this case, Shobhit Gautam, security solutions architect at HackerOne, told TechTarget Editorial in an email that LockBit 3.0 could be trying to rebuild its reputation after the disruption earlier this year. He suggested there was a spectrum of possibilities.

“Lockbit 3.0 may have their own objectives in mind. It appears they may aim to gain attention and possibly attempt to coerce the Federal Reserve into paying a ransom. Alternatively, they could be utilizing this strategy to cast doubt on the security posture of U.S. financial institutions,” Gautam said. “The other possibility would be that they might have gained some access into a Federal Reserve system, but not enough to steal data that would have significance. Maybe exaggerating their success could land them a ransom.”

Meanwhile, Josh Jacobson, director of professional services at HackerOne, said sowing distrust and disseminating misinformation has been a common threat actor technique in the U.S.

“Whether or not an attack actually occurred, this can be spun to make the Fed and by extension the U.S. government look bad,” Jacobson said. “They either were attacked, or shouldn’t they know they weren’t attacked? Why not come out stronger from the gate if there were no issues?”

LockBit’s Federal Reserve claim is the latest example of threat actors muddying the waters with exaggerated or false claims. In May, threat intelligence vendor Hudson Rock published a blog post, based on information provided by a threat actor, that claimed cloud storage and analytics giant Snowflake suffered a “massive breach” that further led to breaches of a number of its customers as well.

However, Snowflake and third-party investigators CrowdStrike and Google Cloud’s Mandiant said this was not the case and that Snowflake customers were breached through previously compromised credentials that had no MFA protection. Hudson Rock’s blog post was taken down shortly following its publication.

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.