In a major blow to cybercrime, the FBI in Dallas confiscated nearly 20 Bitcoins (currently valued at over $2.3 million) linked to a member of the Chaos ransomware group. The cryptocurrency was tied to extortion attacks on businesses in Texas.
The seizure took place on April 15, 2025, when investigators successfully traced the funds to a cryptocurrency wallet connected to an affiliate known as “Hors,” who allegedly took part in multiple ransomware attacks in North Texas and beyond.
According to the FBI’s official statement, the 20.2891382 BTC were identified as ransom payments received by “Hors” after infecting corporate systems and demanding money in exchange for restoring access to files
“The seized funds were in a cryptocurrency address linked to a member of the Chaos ransomware group, nicknamed ‘Hors,’ and were associated with attacks here in the Northern District of Texas,” the FBI stated in its announcement.
The implicated address was: bc1q5d8af0crjhlnepjq08muhh55899rf2ktye3sxd
This case marks a significant step forward in efforts to curb the use of cryptocurrency in cybercrime, demonstrating that despite the perceived anonymity of crypto, authorities can track and recover funds when equipped with the right technology and cooperation.
On July 24, 2025, the U.S. Department of Justice (DOJ) filed a civil forfeiture complaint to officially confiscate the more than \$2.4 million in Bitcoin recently seized by the FBI from a suspected operator of the Chaos ransomware group.
This lawsuit is part of a process known as civil forfeiture, which allows the government to permanently take possession of assets (such as cryptocurrency) believed to be connected to criminal activity. In this case, the funds are tied to ransomware attacks—a form of cyber extortion that has wreaked havoc on businesses across the country.
Read more: Lumma Infostealer Malware Returns After Police Crackdown
While the name “Chaos” might sound familiar, it’s important to understand that this new operation is not related to the low-level ransomware variant of the same name that circulated back in 2021. The new Chaos ransomware gang is a more sophisticated reinvention, and according to researchers, appears to be a rebranding of the BlackSuit group.
Tracing back further, BlackSuit itself is an evolution of the Royal (Quantum) group, which originally emerged from the remnants of the infamous Conti ransomware gang, dismantled in 2022 following a massive internal data leak.
To put things into perspective, here is the group's genealogy:
Conti – Shut down in June 2022 after an internal data leak.
From Conti, several new groups emerged, including:
Royal (also known as Quantum) – Launched in January 2023.
Royal evolved and, under legal pressure, adopted the name BlackSuit in June 2023.
Now, Chaos appears to be the next step, using tools and tactics nearly identical to BlackSuit.
Researchers at Cisco Talos report that Chaos is virtually identical to BlackSuit in several technical aspects—from the encryption methods they use to the design of the ransom note and the tools deployed during attacks.
One of the most interesting aspects of this case is the role of an actor identified as “Hors,” who is linked to the Bitcoin that was seized. While the DOJ and FBI have not specified which sub-group of Chaos Hors belongs to, cybersecurity outlet BleepingComputer confirmed that the confiscated funds are directly tied to this new Chaos operation, not the older version from 2021.
Interestingly, this seizure follows another major takedown: law enforcement gained control over BlackSuit’s extortion sites on the dark web. Many experts believe that operation was key in uncovering the cryptocurrency wallet holding the ransom payments, including those tied to Hors.
Actions like this reinforce the idea that anonymity in the crypto world has its limits—especially when authorities have the time, technology, and international cooperation to track illicit funds.
Read more: BlackSuit Ransomware Sites Taken Down After Checkmate Operation
Beyond the financial impact, this case highlights several key trends in the world of cybersecurity and the fight against ransomware:
Ransomware groups are constantly restructuring, changing names and tactics to evade law enforcement.
Cryptocurrency remains the preferred payment method, but it is no longer as anonymous as it once was.
Law enforcement agencies are improving their ability to trace and seize funds—even across the dark web.
Civil forfeiture allows authorities to act more swiftly in freezing assets linked to cybercrime.
The U.S. Department of Justice is seeking permanent ownership of the more than $2.4 million in Bitcoin seized from a member of the Chaos ransomware operation. This move is part of a broader strategy to cut off the funding of cybercriminal groups that have evolved from Conti to Chaos, via Royal and BlackSuit. The case also demonstrates that, even as digital criminals change their names and faces, authorities are right behind them.