A message has appeared on the dark-web site operated by the Everest group, in which the actors claim responsibility for breaching Under Armour’s infrastructure and stealing a vast trove of data. The post concerning the globally recognised apparel and footwear brand is accompanied by an elaborate description of the allegedly exfiltrated dataset, which includes both customer information and corporate documentation. Such assertions have already drawn the attention of threat-intelligence analysts who have been monitoring Everest since 2023, as the group has consistently expanded its roster of victims and frequently wields the threat of data disclosure as leverage against targeted companies.
The hackers allege they extracted millions of records containing personal details of customers from multiple countries and obtained full access to a database they describe as Under Armour’s internal structure, with a total size of 343 gigabytes. According to them, it contains documents, correspondence, internal files, and employee information, including work contacts, home addresses, and departmental affiliations. The same leak site features a countdown timer, urging representatives of the company to make contact before the deadline expires. At the time of the post, just over a week remained. Under Armour has not confirmed the incident.
The directory structure shown on the leak showcase includes user IDs, email addresses, purchase histories with dates, items, prices, quantities, delivery statuses, and return information. For newsletter subscribers, entries reportedly include country of residence, stated gender, and full postal addresses. Additional datasets are said to contain information tied to employee work accounts, office listings, and internal teams. While no examples show banking-card data, the currency type is recorded for every order, a detail that could be used to craft targeted attacks. Given its breadth, the leaked data is potentially valuable for social-engineering campaigns, impersonation attempts, fraudulent returns, and the theft of digital identities.
Such an incident heightens risks for Under Armour’s large customer and employee base. The brand maintains a presence in more than 15,000 retail locations, produces clothing lines for men, women, and children, and employs roughly 1,400 people. The company is headquartered in both Baltimore and Amsterdam, with additional offices in Denver, Hong Kong, Toronto, and Guangzhou. Its 2025 revenue is estimated at 5.1 billion dollars, though the business continues to navigate post-pandemic restructuring.
Everest’s activity has surged noticeably in recent years. The group now claims more than 250 victims since 2023, with over 100 organisations added in just the past 12 months. Last week, the attackers claimed responsibility for stealing 159 gigabytes of data from SAID Group, one of Italy’s largest industrial-gas producers. In October, they attributed to themselves a breach of Collins Aerospace and the MUSE software that manages airport check-in desks and passenger-flow systems across Europe—an incident that led to hours-long flight delays. Subsequently, the group threatened to release data from Dublin Airport passengers, publishing a portion after negotiations with the vendor failed.
Their list of purported targets also includes Coca-Cola subsidiaries in the Middle East, the Department of Culture and Tourism of Abu Dhabi, Jordan Kuwait Bank, Pacific HealthWorks in the United States, the Crumbl bakery chain, Mailchimp, and the Radisson Country Inn & Suites hotel group. Given this selection of victims, research teams consider Everest among the most active financially motivated threat groups and associate it with operators behind BlackByte.