In a significant development in the fight against international cybercrime, the Federal Bureau of Investigation (FBI) has seized over $2.4 million worth of Bitcoin from a cryptocurrency wallet linked to a ransomware operator affiliated with the new Chaos ransomware gang. The seizure is part of a broader U.S. government effort to disrupt ransomware operations, especially those targeting critical sectors and private businesses across the country.
On April 15, 2025, the FBI’s Dallas Field Office confiscated 20.2891382 BTC from a digital wallet tied to a cybercriminal identified by the alias “Hors”—an individual believed to be directly involved in ransomware attacks on companies in Texas and other U.S. states.
The cryptocurrency was traced to the address:
bc1q5d8af0crjhlnepjq08muhh55899rf2ktye3sxd
This wallet was allegedly used to receive ransom payments from victims of the Chaos ransomware group’s cyber extortion campaigns.
FBI and DOJ Coordination: From Seizure to Legal Action
Following the seizure, on July 24, 2025, the U.S. Department of Justice (DOJ) announced that it had filed a civil forfeiture complaint in federal court seeking permanent legal control over the confiscated assets. The civil complaint—commonly used in cases involving organized cybercrime—argues that the Bitcoin was used or intended for use in criminal activity, including computer intrusion, extortion, and money laundering.
According to the DOJ, civil forfeiture allows the government to initiate a legal process against the property itself rather than the individual in possession. This strategy is frequently employed when it is difficult to locate or prosecute international cybercriminals who operate outside U.S. jurisdiction.
This action marks another example of how law enforcement is increasingly adept at identifying, tracking, and recovering funds derived from cyber-enabled crime,” said a DOJ spokesperson.
The DOJ emphasized that seizures like this help deprive ransomware groups of their illicit profits, while also sending a message that cryptocurrency is not a shield against law enforcement scrutiny.
Who Is Hors? The Suspected Chaos Ransomware Affiliate
The individual known as “Hors” is believed to be a key affiliate of the Chaos ransomware operation. Affiliates in ransomware-as-a-service (RaaS) models typically license ransomware tools developed by core teams and then execute their own attacks. In exchange, they share a percentage of the ransom proceeds with the developers.
While detailed identity information has not been released due to the ongoing investigation, FBI Dallas confirmed that Hors is suspected of carrying out ransomware attacks primarily targeting private businesses in the Northern District of Texas. These attacks led to significant financial losses, data encryption, and potential leaks of sensitive corporate data.
The seized Bitcoin is believed to represent ransom payments collected through these attacks.
Understanding the New Chaos Ransomware Operation
It’s important to clarify that the new Chaos ransomware operation is not connected to the older version of Chaos ransomware that appeared in 2021, which was considered a low-tier malware tool used by amateur cybercriminals.
Instead, the new Chaos group is believed to be an advanced and reorganized version of the BlackSuit ransomware gang, which itself originated from the notorious Conti ransomware syndicate.
Let’s explore this lineage further:
| Group Name | Origin Year | Notable Events and Links |
| Conti | Before 2022 | Major Russian-speaking ransomware gang, disbanded after leaks in 2022 |
| Royal (Quantum) | January 2023 | Emerged from Conti members, responsible for major attacks including one on the City of Dallas |
| BlackSuit | Mid-2023 | Believed to be a rebranding of Royal, introduced new encryption tool |
| Chaos (New) | 2024–2025 | Considered a refined evolution of BlackSuit using enhanced ransomware tools |
Cybersecurity firm Cisco Talos has conducted in-depth research into these ransomware evolutions. According to their analysis, the new Chaos ransomware uses encryption methods, ransom note formatting, and toolkits that mirror those used in the BlackSuit operation. This evidence supports the theory that Chaos is not a new threat but rather a rebranded and more advanced continuation of an existing ransomware lineage.
How Law Enforcement Traced the Cryptocurrency
Bitcoin and other cryptocurrencies are often assumed to be anonymous, but in reality, blockchain transactions are traceable and transparent.
Investigators at the FBI used blockchain analysis tools—such as those developed by firms like Chainalysis and CipherTrace—to trace the path of ransom payments from victims’ wallets to the one controlled by Hors.
Once the suspicious address was identified, the FBI collaborated with cryptocurrency exchanges, wallet providers, and international enforcement agencies to intercept and seize the funds.
This case illustrates the growing technical capabilities of U.S. authorities in cyber forensics, especially when it comes to identifying illicit financial flows.
Connection to Dallas Ransomware Attack and Further Disruptions
The seizure is believed to be part of an ongoing investigation into the Royal/BlackSuit ransomware attacks, particularly those involving critical infrastructure in Texas. Notably, in 2023, the City of Dallas experienced a devastating ransomware attack that caused months of operational disruption.
Following that incident, the Royal ransomware operation began testing a new encryptor and eventually rebranded as BlackSuit. As law enforcement pressure increased, the operation evolved into Chaos, hoping to evade detection while continuing to target high-value victims.
Just one week before the seizure, the FBI and its partners successfully took down the BlackSuit extortion sites on the dark web, further crippling the ransomware group’s operations.
Why This Matters: Ransomware, Rebranding, and the Ongoing Fight
The seizure of Bitcoin in this case demonstrates a shift in law enforcement strategy from reactive measures to proactive dismantling of ransomware ecosystems. Instead of waiting for ransom payments or data leaks to occur, federal agencies are now:
- Tracking affiliate wallets
- Analyzing blockchain behavior
- Targeting rebranded operations like Chaos
- Seizing both infrastructure and funds
Additionally, civil forfeiture plays a critical role in disrupting ransomware economics by cutting off the financial lifeline these criminal groups rely on.
This case also highlights the dangers of ransomware rebranding. By shifting names and slightly changing tools, threat actors aim to avoid detection and continue operations under a new identity. However, forensic links—like encryption similarity and ransom note structure—can still expose these connections, as seen in the Cisco Talos report.
A Strong Message to Ransomware Gangs
With this successful Bitcoin seizure and pending forfeiture case, the FBI and DOJ have shown that cryptocurrency is no longer a safe haven for cybercriminals. Even though ransomware groups continue to evolve and rebrand, law enforcement is keeping pace with their tactics—using data, partnerships, and legal tools to hunt them down.
The seizure of over $2.4 million in Bitcoin from Hors, an affiliate of the new Chaos ransomware group, is not just a win for cybersecurity—it is also a clear warning to other cybercriminals:
Digital footprints leave trails, and justice follows them.
The Information is Collected from Bleeping Computer and Bitcoin.
