The bank wasn't breached. The printer was.

The chain of custody nobody owns

April 20, the Everest ransomware gang dropped sample data on its dark-web leak site and started a six-day clock. By the time you read this, the deadline has either passed or it is about to.

Citizens Financial Group runs $227.9 billion in assets across 1,000 branches in 14 states. Frost holds $53 billion plus $67 billion in trust. Both confirmed by April 23 that the entry point wasn’t them.

It was a third-party vendor.

The vendor that printed Citizens’ statements. The vendor that handled Frost’s tax-document fulfillment.

Both banks denied any compromise of their own networks. Both are right and both are wrong, depending on what “compromise” means.

The bank wasn’t the breach. The printer was. The customer can’t tell the difference, and neither, increasingly, can the regulator.

• 3.4M Citizens Bank records — Names, addresses, account numbers, internal flags. Citizens declined to respond to the volume claim and stated most of what was taken was masked test data.
• 250K Frost Bank records — Social Security numbers, taxpayer IDs, mortgage interest rates, income data. Frost confirmed via American Banker that early findings indicate the incident may be related to recent claims made by cybercriminals.

Citizens has best-in-class controls. MFA on email. EDR on endpoints. Backups tested. Phishing-resistant authentication for privileged access. None of it mattered. The breach didn’t walk through any of that.

It walked through a printer. And the bank you trust most is one outsourced fulfillment contract away from the same headline.

I sat with this story for six hours convinced the headline was the bank. It’s not. It’s the printer. And every security team I’ve talked to this week is still asking the wrong question — the session question, when the action question is the one with their customer’s money on it.

Identity stopped being something a bank could perimeter-defend the day vendors started touching customer records. The same day. The first day. It was always this way and the industry has been pretending otherwise for a decade.

Citizens’ statement printer is a vendor concentrated among a handful of large fulfillment houses serving most of the U.S. banking sector. Frost’s tax-document outsourcer is the same shape of vendor. ZeroFox confirmed both samples appear to come from a single compromised vendor system, not from either bank’s network. Neither bank can fix what was lost by hardening the bank.

Here is what happens next. Not in theory — in the playbook attackers have run a dozen times in the last eighteen months.

The two questions

Every defensive layer in the exchange stack answered some question correctly when the attacker came through. The attacker did not dispute those answers. The attacker operated in the space between the questions.

The question every bank’s MFA stack answered correctly: “Did the user authenticate at session start with the credentials they enrolled with?”

The question no layer answered: “Is the human authorizing this withdrawal, right now, the same human who enrolled — and did they consent to this specific action, not just any action?”

The first is a session question. The second is an action question. The data in this dump compromises the inputs to the first one for 3.6 million people. Nothing in this dump has the slightest effect on the second one, because nobody asks it.

The reframe

Mitchell Amador of Immunefi, on April 24: “With code becoming harder to exploit, the main target for hackers in 2026 is people.”

He is right and he is understating it. The target isn’t the person. The target is every system that ever trusted that the person on the other end was who they said they were. The Frost sample contains SSNs — the answer key to every knowledge-based authentication question Coinbase, Kraken, and Gemini ask before authorizing a withdrawal. The phone numbers are tied to the same SMS 2FA those exchanges still use as a second factor. SIM-swap one number, satisfy the KYC questions with the dump data, and the second factor is whatever the attacker controls.

The exchange does not fail any control it had configured. The exchange is still on the hook when the customer’s funds are gone.

This week alone

Citizens / Frost is one reading on a trend line that ran through the whole month. Six events this week share one structure: every loss happened at a layer the victim did not directly control.

• APR 18 — KelpDAO rsETH bridge. $292M. LayerZero forged message.
• APR 20 — Vercel. API keys exposed via Context.ai compromise.
• APR 20 — Citizens / Frost Bank. 3.6M records. Print vendor.
• APR 21 — Volo Protocol. $3.5M. Socially engineered admin signs.
• APR 23 — Circle (USDC). Class action. Failed to freeze Drift funds.
• APR 23 — Grinex. ~$13M. Identity-mediated withdrawals.

Six events. One week. Each victim ran the controls their security team owned. None of those controls covered the layer that actually failed.

Three predictions, dated, public

Same blog. Same byline. If any is wrong by its deadline, I write the retraction in this same archive within seven days.

1. Deadline May 24. A U.S. crypto exchange announces an account takeover traceable to data from this dump.
2. Deadline Jul 24. At least one cyber insurance carrier issues a renewal term sheet that excludes losses where SMS-based 2FA was the only step-up factor on a high-value transaction.
3. Deadline Jul 24. At least one U.S. bank or fintech announces a per-transaction biometric step-up product.

Predictions you can be wrong about are more interesting than thesis statements you can’t.

Threat model update

Working assumption for U.S. bank, fintech, and crypto exchange security teams:

1. If you currently use SSN, date of birth, address, or any field present in the Frost / Citizens dump as a verification input — that input is now public for 3.6M people.
2. SMS 2FA was already broken. The phone numbers in this dump are the inputs to the next round of SIM swaps. Treat any SMS-only step-up as functionally absent.
3. The remaining viable factor at the moment of money movement is inherence — something attached to the human, in the moment, that an attacker holding $40 worth of credentials cannot reproduce.
4. Per-action biometric step-up — with a signed, timestamped, independently verifiable receipt — is the only configuration that produces an artifact an underwriter or court can audit after the fact. Session tokens don’t produce that. MFA logs don’t produce that. SOC 2 control narratives don’t produce that.

Next week

Somebody else will lose. A different vendor, a different bank, a different fulfillment house. The bank will say its network was not compromised. The bank will be telling the truth. The customer who drained at the exchange will not care which network it was. The next $300M loss won’t be a smart-contract bug. It’ll be 3.6 million people’s authentication answers, sold at commodity-tier prices, used at the layer nobody re-verified.

Somebody is going to call support next month and find out every one of their checks passed. That call is on you. Not on the printer. Not on the vendor. On the layer in front of the action.

Audits are the floor. Vendor controls are the wall. Runtime human attestation at the action is the ceiling. Right now most institutions ship only the floor and the wall, and every week something gets in through the top.