FBI Recovers $2.4M in Bitcoin From Chaos Ransomware Bust
▼ Summary
– FBI Dallas seized 20 Bitcoins (worth over $2.3 million) from a Chaos ransomware affiliate named “Hors” linked to cyberattacks on Texas companies.
– The seizure occurred on April 15, 2025, and the U.S. Department of Justice filed a civil forfeiture complaint for the funds on July 24, 2025.
– The new Chaos ransomware operation is a rebrand of BlackSuit, which itself evolved from the Conti ransomware gang after its shutdown in 2022.
– Researchers link the new Chaos group to BlackSuit due to similarities in encryption, ransom notes, and attack tools.
– The seized Bitcoin wallet may have been uncovered during a law enforcement investigation into BlackSuit’s dark web extortion sites.
The FBI has successfully recovered $2.4 million in Bitcoin linked to a notorious ransomware group responsible for cyberattacks targeting businesses in Texas and beyond. The seized funds, totaling 20.2891382 BTC, were traced to a digital wallet associated with an individual known as “Hors,” a suspected affiliate of the Chaos ransomware operation.
Authorities executed the seizure on April 15, 2025, following an investigation into attacks orchestrated by the group. The U.S. Department of Justice later filed a civil complaint to permanently confiscate the cryptocurrency, now valued at over $2.4 million. Civil forfeiture laws enable the government to take ownership of assets tied to criminal activity, providing a legal pathway to disrupt ransomware financing.
Chaos ransomware has emerged as a rebranded version of the BlackSuit operation, itself an offshoot of the infamous Conti ransomware gang. While the name may sound familiar, this newer iteration has no connection to an older, less sophisticated variant that circulated in 2021. Instead, the current group shares striking similarities with BlackSuit, from encryption methods to ransom note formatting, suggesting a direct lineage.
The Conti ransomware syndicate disbanded in 2022 after a major data breach, scattering its members into smaller factions. One such successor, the Royal (Quantum) ransomware group, later evolved into BlackSuit before adopting the Chaos moniker. Security analysts at Cisco Talos identified overlapping tactics, reinforcing suspicions that Chaos is merely the latest rebrand in an ongoing cycle of cybercriminal reinvention.
Though the FBI has not publicly confirmed which Chaos faction “Hors” belonged to, evidence points to the newer operation. The timing aligns with recent law enforcement actions, including the takedown of BlackSuit’s dark web leak sites, which may have exposed the Bitcoin wallet in question.
This seizure marks another step in the ongoing battle against ransomware, demonstrating law enforcement’s ability to track and reclaim illicit cryptocurrency gains. As cybercriminals continue to rebrand and adapt, authorities remain focused on dismantling their financial networks, one digital wallet at a time.
(Source: Bleeping Computer)