FBI seizes 20 BTC from Chaos Ransomware affiliate targeting Texas firms

FBI seizes 20 BTC from Chaos Ransomware affiliate targeting Texas firms

FBI seizes 20 BTC from Chaos Ransomware affiliate targeting Texas firms

Pierluigi Paganini
FBI seizes 20 BTC from Chaos Ransomware affiliate targeting Texas firms July 30, 2025

FBI seizes 20 BTC from Chaos Ransomware affiliate targeting Texas firms

FBI Dallas seized 20 BTC from Chaos ransomware affiliate “Hors,” tied to cyberattacks on Texas firms, on April 15, 2025.

The FBI division in Dallas seized about 20 Bitcoins on April 15, 2025, from a wallet belonging to a Chaos ransomware affiliate named as “Hors.” The Hors affiliate is responsible for multiple cyberattacks on Texas companies.

“On Thursday, July 24, 2025, the United States filed a civil complaint in the Northern District of Texas seeking the forfeiture of over $1.7 million worth of cryptocurrency seized by Dallas FBI in mid-April 2025, announced Acting United States Attorney for the Northern District of Texas Nancy E. Larson.” reads the press release published by DoJ.  

“As alleged in the complaint, 20.2891382 BTC was seized from cryptocurrency address bc1q5d8af0crjhlnepjq08muhh55899rf2ktye3sxd on April 15, 2025.  The seized cryptocurrency, now valued at over $2.4 million, allegedly constitutes property involved in unlawful activity, or proceeds of or property derived from unlawful activity, including money laundering and extortion related to damage to a protected computer, commonly referred to as a ransomware attack.  The seized cryptocurrency was traced to a cryptocurrency address allegedly associated with a member of the Chaos ransomware group, known as “Hors,” which has been tied to ransomware attacks against victims located in the Northern District of Texas and elsewhere.”

The new Chaos ransomware operation, likely a rebrand of BlackSuit, is unrelated to the earlier low-tier variant from 2021. It emerged from the defunct Conti gang, which shut down in 2022 after a data breach.

Chaos ransomware began as a fake Ryuk clone in 2021, initially destroying files instead of encrypting them. Over time, it evolved into a real ransomware family with encryption, obfuscation, and data theft features. Distributed as a builder, it enabled even unskilled actors to launch attacks. By 2023, Chaos was part of the ransomware-as-a-service ecosystem, used in targeted extortion campaigns by affiliates like “Hors”.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)




Source link