Hacker Group Auctions Stolen Maryland Transportation Department Data for Bitcoin in Bold Cyber Heist

Cybercriminals flip stolen government data on the blockchain—because why bother with traditional ransomware when you can host your own dark web auction?

The Digital Shakedown

Hackers just put a price tag on Maryland's transportation secrets, accepting only cryptocurrency for the sensitive data haul. No middlemen, no banks—just pure peer-to-peer extortion with Bitcoin as the payment rail.

Blockchain's Double-Edged Sword

While crypto promises financial sovereignty, it also creates the perfect untraceable marketplace for ill-gotten digital goods. The same anonymity that protects privacy activists now shields data thieves cashing out their exploits.

Maryland's transport systems join growing list of public infrastructure targeted by crypto-savvy threat actors who've realized government data trades better than most altcoins.

Another day, another demonstration that digital assets move value faster than regulations can keep up—Wall Street bankers still can't figure out whether to condemn the technology or try to securitize it.

Maryland officials decline to provide details of ransomware attack

The Maryland Transit Administration (MTA), a division of MDOT, released a statement admitting to the public that its data had been compromised. Questioned by reporters about the extent of the breach, MTA spokesperson Veronica Battisti said:

“The agency is unable to disclose specific or additional details regarding what data has been lost because of the sensitivity of the ongoing investigation.”

The Maryland Department of Information Technology has confirmed it is working with law enforcement agencies and cybersecurity firms to trace the source of the intrusion and assess the depth of the damage.

Transportation systems, including buses, subways, and light rail, were not directly impacted. However, the attack affected several real-time information services and tools, including those linked to a program known as Mobility, a service that orders shared rides from home through a website for those who do not use bus stops.

Per cybercrime news outlet The Record, Rhysida was responsible for a ransomware attack against Prince George’s County Public Schools (PGCPS), one of the largest districts in the Washington, DC, suburbs.

The attack, which occurred in August 2023, caused a network outage that disrupted operations just before the new school year. PGCPS, which serves about 130,000 students, later confirmed in a regulatory filing that personal information of nearly 100,000 individuals may have been exposed.

“The information present in the files that may have been viewed or acquired as a result of this incident varies per person, and includes individuals’ names, financial account information, and Social Security numbers,” the district said at the time.

Pennsylvania attorney general’s office hit by ransomware

In other-related news, ransomware attacks were also reported by Pennsylvania’s Office of the Attorney General in early September. According to Attorney General Dave Sunday, the cybercrime group Inc. ransomware had encrypted files and communications systems on August 11. 

AG Sunday said courts granted extensions in certain cases where evidence and court filings had been affected, and that no prosecutions or investigations WOULD fail “because of the cyberattack.”

“This situation has certainly tested OAG staff and prompted some modifications to our typical routines; however, we are committed to our duty and mission to protect and represent Pennsylvanians, and are confident that mission is being fulfilled,” Sunday said in a statement.

The office has not disclosed if any personal data was stolen, but officials said anyone whose information was compromised would be notified once the investigation concludes.

Security researchers said the Pennsylvania incident may have been caused by security flaws in Citrix NetScaler devices that are used by several government and corporate networks. 

A CVE-2025-5777 or “Citrix Bleed 2” exploit could allow attackers to bypass authentication to access sensitive government systems. Cybersecurity analyst Kevin Beaumont published evidence suggesting that at least two internet-exposed Citrix NetScaler appliances in the attorney general’s office were vulnerable before being taken offline.

Don’t just read crypto news. Understand it. Subscribe to our newsletter. It's free.