ransomware

A 27-year-old German hacker, Noah Christopher, was arrested in Bangkok, Thailand, facing up to 74 arrest warrants for cyber crimes in Europe.Investigations show that this individual is suspected of developing and operating a ransomware platform and a "cybercrime-as-a-service" (CaaS) system between 2021 and 2025, including providing distributed denial-of-service (DDoS) attack tools (such as Fluxstress and Neldowner), assisting global clients in launching cyber attacks and charging fees, with related ransom payments involving cryptocurrencies and other digital assets, constituting transnational cybercrime activities. His visa has been revoked, and he is currently detained awaiting extradition to Germany.

On-chain analyst ZachXBT stated that Russian over-the-counter intermediary Aleksandr Khinkis (Aleks) has been accused of assisting a ransomware group in laundering money through a single cryptocurrency exchange account since July 2025. The related funds come from three suspected ransom payments, totaling 796 BTC, equivalent to over 4.7 million USD.On-chain forensics show that some of the Bitcoin was transferred to Avalanche via a cross-chain bridge, then split into about 75 transactions into his exchange deposit address 0xa756...06e. Additionally, approximately 16.6 million USD in related funds remains stored at the relevant addresses or platforms. ZachXBT stated that he has provided clues regarding the aforementioned addresses and fund flows to compliance and law enforcement agencies.

Renowned on-chain investigator ZachXBT released a report today stating that a Russian over-the-counter (OTC) broker named Aleksandr (Aleks) Khinkis is suspected of assisting ransomware groups in laundering over $4.7 million since 2025 through a single cryptocurrency trading platform account.The related funds involve three suspicious ransom payments, totaling approximately 796 bitcoins (BTC). The investigation shows that these funds were transferred in batches to his trading platform's deposit address (0xa756) after being bridged between Bitcoin and Avalanche, completing a total of 75 transactions from 2025 to 2026. Additionally, approximately $16.6 million is currently still held in Aave and is being gradually liquidated.ZachXBT pointed out multiple ransom transactions: a ransom payment of about 72 BTC in September 2025 was bridged to the related address; a ransom of about 164 BTC was also discovered in October 2025 and converted to approximately $3.8 million. Some related addresses were blacklisted by Tether in November 2025, and the subsequently frozen USDT was destroyed three weeks ago, indicating that law enforcement and compliance agencies have intervened.Earlier in 2023, this account was also involved in a ransom transaction of about 560 BTC, which was circulated through multiple intermediary addresses and trading platforms before being bridged back to the Avalanche network in 2024. Furthermore, the investigation pointed out that the source addresses of the related bitcoins have a high correlation with multiple ransomware addresses, suspected of serving as payment transit nodes. Although some funds remain dormant, ZachXBT warned that they may still be laundered in the future and urged victims to report related addresses promptly to freeze the funds.

According to Criptonoticias, the city government of Sanxenxo in the Galicia region of Spain suffered a ransomware attack, with hackers encrypting thousands of administrative documents and blocking system access, demanding a ransom of $5,000 in Bitcoin.The attack occurred on January 26, causing the municipal servers to completely crash, affecting the operation of essential services in the city, which has over 17,000 residents. The city government has reported the incident to the Spanish Civil Guard, refused to pay the ransom, and stated that it is enabling daily backups to restore the system.

According to a report by Le Parisien, the French cryptocurrency tax reporting platform Waltio announced that it has been extorted by a hacker group called "Shiny Hunters." The group claims to have obtained personal data of approximately 50,000 customers of the platform, most of whom are located in France, and is demanding a ransom for it.Waltio is a company that provides portfolio tracking and tax calculation services for cryptocurrency holders. The company stated that it has reported the incident of "attempted extortion and disruption of automated data processing systems" to the police. The report noted that the hackers allegedly obtained the relevant customers' email and account balance information as early as 2024.

According to Cointelegraph, researchers from the cybersecurity company Group-IB have discovered a ransomware called "DeadLock" that is using Polygon smart contracts to hide itself and rotate proxy addresses.This ransomware was first identified in July last year, and it dynamically updates the command and control infrastructure addresses used to communicate with victims by invoking specific smart contracts. Once a victim is infected and data is encrypted, DeadLock issues a ransom note threatening to sell the stolen data if demands are not met.Researchers pointed out that storing proxy addresses on-chain makes its infrastructure extremely difficult to dismantle, as there is no central server that can be shut down, and blockchain data is permanently retained across global nodes. This method of abusing smart contracts to relay proxy addresses is highly variable. Although DeadLock currently has low exposure and a limited number of known victims, its novel attack techniques still pose a potential threat to organizations that do not take it seriously.

According to monitoring by Group-IB, the ransomware family DeadLock is using Polygon smart contracts to distribute and rotate proxy server addresses to evade security detection.This malware was first discovered in July 2025, embedding JS code that interacts with the Polygon network within HTML files, using an RPC list as a gateway to obtain server addresses controlled by the attacker. This technique is similar to the previously discovered EtherHiding, aiming to leverage decentralized ledgers to construct covert communication channels that are difficult to block. DeadLock currently has at least three variants, with the latest version also embedding the encrypted communication application Session to directly communicate with victims.

According to the U.S. Department of Justice, two American men have pleaded guilty to attacking multiple targets in the U.S. using ALPHV BlackCat ransomware.Ryan Goldberg (40) from Georgia and Kevin Martin (36) from Texas admitted to deploying ALPHV BlackCat ransomware between April and December 2023. Both are professionals in the cybersecurity industry, and they, along with another accomplice, paid 20% of the ransom as a cut to the ALPHV BlackCat administrator to gain access to the ransomware. After successfully extorting approximately $1.2 million in Bitcoin from one victim, the three split 80% of the ransom and laundered it through various means.The two defendants are scheduled to be sentenced on March 12, 2026, and could face up to 20 years in prison.

Recent cybersecurity incidents have severely impacted the South Korean financial sector, as the Qilin ransomware group successfully infiltrated the systems of 28 financial institutions by attacking a managed service provider (MSP), stealing over 1 million documents and 2 TB of data. The attackers have named this incident "Korean Leaks," which was carried out in three waves, primarily targeting South Korean asset management companies.Security experts suspect that this attack may be linked to the North Korean hacker group Moonstone Sleet. When the attackers posted information on the data leak website, they not only demanded a ransom but also claimed to expose "systemic corruption" and "evidence of stock market manipulation," attempting to create panic in the South Korean financial market.

According to The Hacker News, the Qilin ransomware group launched a "Korean Leaks" supply chain attack by breaching the South Korean IT service provider GJTec, resulting in 28 financial companies being affected and over 1 million files totaling 2 TB of data being stolen.Bitdefender's investigation found that this operation is linked to the North Korean-backed APT "Moonstone Sleet," suspected of collaborating with the Russian-speaking Qilin group, aiming to exert pressure on the South Korean financial market.

ChainCatcher news, according to Bitcoin News, the ransomware group "Rhysida" has stolen sensitive data from the Maryland Department of Transportation and is auctioning this data for 30 bitcoins (approximately 3.4 million USD).

ChainCatcher news, Replit CEO stated that North Korean IT remote workers (ITW) are using AI tools to secure remote jobs in the U.S., generating hundreds of millions of dollars for North Korea. On this, blockchain detective ZachXBT responded that North Korean IT remote workers are involved in at least 25 hacking or ransom incidents targeting companies in the cryptocurrency industry. The affected companies are all enterprises in the crypto field.

ChainCatcher news, according to the U.S. Department of Justice, British citizen Thalha Jubair has been charged for participating in at least 120 cyber intrusions and ransomware attacks involving 47 U.S. entities, with a total ransom paid by victims exceeding $115 million.The indictment alleges that 19-year-old Jubair (also known by aliases "EarthtoStar," "Brad," "Austin," etc.) collaborated with a cybercrime group known as "Scattered Spider" to gain unauthorized network access through social engineering techniques, steal and encrypt information, and then extort ransom from victims. The group also targeted U.S. critical infrastructure companies and the U.S. court system. Law enforcement successfully seized approximately $36 million in cryptocurrency when they shut down servers in July 2024. Jubair faces multiple charges including computer fraud, telecommunications fraud, and money laundering, with a maximum sentence of 95 years in prison.

ChainCatcher news, a so-called reward of $50,000 from the European Union Agency for Law Enforcement Cooperation (Europol) to track down the administrators of the Russian ransomware gang Qilin, is actually just a Telegram scam. This false reward message has deceived several cybersecurity news outlets, leading them to mistakenly believe that Europol would pay a reward to anyone who could provide information about the two Qilin administrators, Haise and XORacle.It is claimed that these two are responsible for "coordinating affiliate organizations and overseeing ransomware activities," and Europol is seeking intelligence that could "directly lead to the identification or location of these administrators."However, Europol confirmed to Security Week that this so-called reward is actually a "scam," and the agency has never issued such a reward.

ChainCatcher News, the U.S. Department of Justice announced that after unsealing six search warrants in federal courts in Virginia, California, and Texas, over $2.8 million in cryptocurrency, $70,000 in cash, and a luxury car were seized. These assets are allegedly related to the ransomware proceeds laundered by Ianis Aleksandrovich Antropenko, who is currently facing charges in the Northern District of Texas.According to the indictment, Antropenko and his associates deployed Zeppelin ransomware to infiltrate victim systems, encrypt data, and steal information, subsequently demanding ransom payments in exchange for decrypting files, preventing leaks, or deleting stolen data. Victims include individuals, businesses, and institutions both domestically and internationally.The search warrants reveal that Antropenko laundered the ransom proceeds through various channels, including the use of ChipMixer—a cryptocurrency mixing service that was dismantled in 2023 by an international law enforcement operation. He also converted cryptocurrency into cash and made incremental deposits into accounts to evade regulation.

ChainCatcher news, according to Decrypt, Texas authorities announced the seizure of $2.8 million in cryptocurrency, $70,000 in cash, and a luxury car from alleged ransomware operator Ianis Antropenko. Antropenko is accused of using Zeppelin ransomware to attack global targets.Data shows that in 2024, losses from cryptocurrency-related crimes in the U.S. reached $9.3 billion, a 66% increase year-on-year. The Department of Justice's Cyber Crime Division stated that it has recovered a total of $350 million in victim funds and prevented over $200 million in potential ransom payments.

ChainCatcher news reports that U.S. and international law enforcement agencies have seized 4 servers, 9 domain names, and approximately $1 million in Bitcoin, which are linked to a notorious Russian ransomware gang accused of attacking hundreds of institutions across critical sectors.The U.S. Department of Justice stated that the operation began on July 24, executed jointly by U.S. agencies along with those from Canada, Germany, Ireland, France, the UK, Ukraine, and Lithuania, targeting infrastructure associated with BlackSuit and Royal ransomware. Investigators believe that these two ransomware variants were developed by the same cybercrime group.Authorities claim that since 2022, the gang has extorted over $500 million in ransom, with a single ransom demand reaching as high as $60 million. It is alleged that they attacked more than 450 victims in the U.S. during this period, including hospitals, schools, police departments, energy companies, and government agencies, illegally profiting at least $370 million.The seized cryptocurrency was valued at $1,091,453 at the time of the seizure, originating from a digital wallet frozen by a trading platform in January 2024. According to court documents, these funds include a portion of Bitcoin ransom paid by a victim in April 2023, totaling $1.45 million.Victims of BlackSuit and Royal are typically required to pay ransoms in Bitcoin through dark web sites. Cybersecurity officials warn that operators of such malware often combine intimidation tactics with sophisticated data theft techniques, making it difficult to recover data without paying the ransom.

ChainCatcher news, according to Cointelegraph, blockchain intelligence company TRM Labs stated that a ransomware group named Embargo has transferred over $34 million in ransom-related cryptocurrency since April. Embargo currently has approximately $18.8 million in cryptocurrency stored in non-affiliated wallets, and experts believe this strategy may be aimed at delaying detection or taking advantage of better money laundering conditions in the future. Embargo operates under a ransomware-as-a-service (RaaS) model, primarily targeting industries with high downtime costs, including healthcare, business services, and manufacturing, and tends to attack victims within the United States, possibly due to their stronger payment capabilities.TRM's investigation suggests that Embargo may be a rebranded version of the notorious BlackCat (ALPHV) group, which disappeared earlier this year amid allegations of an exit scam. Although Embargo is not as overtly aggressive as LockBit or Cl0p, it employs a double extortion strategy: encrypting systems and threatening victims with the release of sensitive data if they do not pay. In some cases, the group publicly names victims or leaks data on its website to increase pressure.

ChainCatcher news, according to the U.S. Department of Justice Northern District of Texas Prosecutor's Office, the U.S. Department of Justice filed a civil lawsuit in the Northern District of Texas Court on July 24, seeking the forfeiture of previously seized cryptocurrency assets.It is reported that the FBI Dallas Field Office seized approximately 20.29 BTC from a cryptocurrency address on April 15, with a current market value of over $2.4 million. The related assets are alleged to be connected to a ransomware organization member "Hors" of Chaos, involved in illegal activities such as money laundering and computer extortion. This gang has carried out multiple cyberattacks in the Northern District of Texas and other areas.

ChainCatcher news, according to IT Home citing Bloomberg, the U.S. Department of Justice is investigating a former ransomware negotiation expert from DigitalMint, who is accused of reaching secret agreements with hackers to extract commissions from ransom payments, severely harming client interests. DigitalMint is a Chicago-based incident response and digital asset services company that specializes in ransomware negotiations and cryptocurrency payment services, helping clients obtain decryption keys and prevent data breaches.The investigation focuses on whether the negotiation expert violated federal laws, including conspiracy, wire fraud, and money laundering. If convicted, this individual could face severe penalties. DigitalMint has stated that the employee involved has been immediately terminated, and their actions are considered an isolated incident.