The LockBit ransomware group is claiming that it hacked into systems at the U.S. Federal Reserve and stole 33TB of data that it will begin leaking as early as Tuesday if the institution doesn’t pay the unspecified ransom.

The notorious cybercriminals announced the attack on its dark web leak site on June 23, giving the countries central banking system 48 hours to pay the ransom. In its message, the group also said Fed needed to find another negotiator during that time and fire “this clinical idiot,” apparently referring to another negotiator.

The Fed has not responded to reports of the breach and there is ample skepticism among cybersecurity professionals over whether LockBit actually got into the institution’s systems or is making the claim for other reasons.

Cyberthreat researcher Dominic Alvieri hasn’t been shy about his thoughts. On X (formerly Twitter), Alvieri posted, “LockBit posts the US Federal Reserve? Someone is mad.”

In another post, he pointed to an unrelated data breach – also claimed by the Russia-lined LockBit gang – of semiconductor solutions provider Kulicke and Soffa in May and noted that LockBit had given the company until Wednesday to pay the demanded ransom.

“I don’t think he has anything non public on the fed,” Alviera wrote, likely referring to LockBit’s ringleader, Dimitry Yuryevich Khoroshev. “He’ll prolly post ‘leaked’ and release nothing as a last gasp to get Kulicke to pay.”

The malware collective vx-underground, in its own post on X, used the word “doubt” and added that “if Lockbit ransomware group actually ransomed the United States Federal Reserve it would be DEFCON 2 and the administrators would need to worry about a drone strike.”

“Unless Lockbit ransomware group ransomed something small in the Federal Reserve, like maybe Lockbit took down their coffee machine and they can’t watch anime or something (we don’t know what the staff at the Federal Reserve actually do),” the group added.

Helping to fuel the doubt is that the group has not shown samples of the stolen data, which often is done.

An Active and Constant Threat

LockBit, which came onto the scene in 2019, has been among the most prolific ransomware-as-a-service (RaaS) groups in recent years, with the FBI saying that more than 2,000 victims have been targeted by the group, which has stolen more than $100 million. Victims of LockBit and its affiliates over the past several months include giant aircraft maker Boeing, Capital Health, packaging manufacture Pratt Industries, Chinese telecom Sunwave Communications, and the Colonial School District in Pennsylvania.

U.S. and international law enforcement, which in recent years have become more aggressive in pursuing high-profile cybercrime groups, seizing their infrastructures and websites, and indicting suspects in connection with them, targeted LockBit in a February campaign dubbed Operation Cronos. They seized the group’s public-facing websites, took control of servers run by the gang’s administrators, and grabbed decryption keys to help some victims regain access to their data.

In May, the U.S. Justice Department indicted Khoroshev, the Russian national suspected of being the creator and administrator of LockBit.

According to managed security services provider NCC Group, LockBit emerged after Operation Cronos in May with a surge in activity that saw it again be the most prolific ransomware group, accounting for 37% of all ransomware attacks and showing a 665% month-over-month increase. Matt Hull, global head of threat intelligence at NCC Group, wrote in a report last week about the speculation after the law enforcement takedown that LockBit, like other gangs in similar situations, would dissolve operations and disappear.

“The current surge in victim numbers suggests a different story,” Hull said. “It’s possible that amidst law enforcement action, LockBit not only retained its most skilled affiliates but also attracted new ones, signaling their determination to persist.”

He added that “alternatively, the group might be inflating their numbers to conceal the true state of their organization.”

If True, It’s a Big Deal

Either way, it continues to make noise. As far the claim of the Fed attack, it’s still unclear if there is any substance behind the noise. If the claim legitimate, it’s a significant and dangerous attack.

“Unless and until the data is released, this remains unconfirmed,” said Steve Hahn, executive vice president at cybersecurity firm BullWall. “But if true, it’s certainly a grave situation. In having claimed that LockBit was taken down, the global agencies appear to have further accelerated LockBit’s activities and motivation.”

Hahn added that Khoroshev “operates a hydra-like organization with multiple heads, with new leaders emerging whenever one is taken down.”

Agnidipta Sarkar, vice president of CISO advisory at security company ColorTokens, said noted some of LockBit’s more prominent attacks, including on Boeing and ICBC Bank.

“However, not all of its claims have been verified,” Sarkar said. “Despite having its infrastructure seized and its alleged leader, Dmitry Yuryevich Khoroshev, exposed by law enforcement authorities, the group seems to have continued its activities. We will need to wait for further updates on this matter.”

If the claims are true, “regulators will need to intervene to ensure that businesses are breach-ready, and banks will need to prioritize foundational cybersecurity by isolating critical operations from other systems,” he said.