FBI Dallas has seized roughly 20 Bitcoins from a cryptocurrency deal with belonging to a Chaos ransomware member that’s linked to cyberattacks and extortion funds from Texas corporations.
The crypto was seized on April 15, 2025, and was traced to an affiliate named “Hors,” who’s suspected of launching the assaults towards the businesses.
“The seized funds have been traced to a cryptocurrency deal with allegedly related to a member of the Chaos ransomware group, generally known as ‘Hors,’ who has been tied to ransomware assaults towards victims right here within the Northern District of Texas and elsewhere,” reads the FBI’s announcement.
“As the results of the actions, 20.2891382 BTC was seized (now valued at over $2.3 million) from cryptocurrency deal with bc1q5d8af0crjhlnepjq08muhh55899rf2ktye3sxd on April 15, 2025.”
The U.S. Division of Justice launched an announcement informing that, on July 24, 2025, it filed a civil grievance in search of the forfeiture of the quantity the FBI seized, which is now valued at over $2,400,000.
Civil forfeiture permits the federal government to file a grievance straight towards the property, in search of to take everlasting possession of property believed to be related to felony exercise, on this case, ransomware.
Chaos ransomware revival
The cryptocurrency was seized from the comparatively new Chaos ransomware operation that’s believed to be a rebrand of the BlackSuit ransomware group.
Though the title is similar as a low-tier ransomware variant whose builder has been utilized by cybercriminals since mid-2021, the brand new Chaos gang has no hyperlinks to this older variant.
The brand new Chaos ransomware operation stems from the infamous Conti ransomware gang, which suffered an information breach and shut down in June 2022. Its members then splintered into quite a few different ransomware gangs.
In January 2023, the Royal (Quantum) ransomware gang was launched, which was believed to be the direct successor to the infamous Conti operation.
In June 2023, after feeling strain from regulation enforcement for the assault on the Metropolis of Dallas, Texas, the Royal ransomware operation started testing a brand new BlackSuit encryptor, ultimately rebranding as BlackSuit.
Cisco Talos researchers consider the brand new Chaos ransomware is a rebrand of BlackSuit based mostly on similarities within the encryption, ransom notice construction, and the toolset used within the assaults.
Whereas the U.S. DOJ and FBI haven’t explicitly distinguished which Chaos group ‘Hors’ belonged to, BleepingComputer confirmed that the Bitcoin seizure is linked to the brand new Chaos operation.
Because the BlackSuit ransomware operation had its darkish net extortion websites seized by regulation enforcement final week, it is doable that the regulation enforcement investigation uncovered this cryptocurrency pockets as a part of the operation.
Include rising threats in actual time – earlier than they impression your corporation.
Find out how cloud detection and response (CDR) provides safety groups the sting they want on this sensible, no-nonsense information.
