Embargo Ransomware Gang Rakes in $34M in Just 4 Months – TRM Labs Exposes Crypto Crime Spree
Another day, another crypto-fueled cyberheist. The so-called 'Embargo' group just proved ransomware is still the get-rich-quick scheme for the digital age—no VC funding required.
The $34M Shakedown
Since April 2024, these threat actors have been cashing out like a degenerate trader during a bull run. TRM Labs' blockchain sleuths traced the loot—all 34 million reasons why cybersecurity can't keep up with crypto's dark side.
Ransomware's Bull Market
Forget hodling—these operators prefer extortion. Their business model? Lock files, demand Bitcoin, repeat. Works every time—until it doesn't. But with payouts like these, who's counting?
Meanwhile, your average DeFi protocol burns through $34M in marketing before lunch. At least these criminals show a profit.
TRM Labs investigations uncover Embargo’s operations
According to TRM Labs, its investigations uncovered that the group might have sprang up as a rebranded version of the infamous BlackCat (ALPHV) operation. The said group disappeared earlier this year after it was involved in an exit scam. An exit scam is a kind of rug pull where individuals in charge of a project disappear with user funds without any traces.
Using the Rust programming language, operating similar data leak sites, and exhibiting on-chain ties through shared wallet infrastructure, TRM Labs noted that both entities share a technical overlap.
According to reports, about $18 million of illegal proceeds belonging to Embargo still lie dormant in unaffiliated wallets. Analysts believe that this tactic is used to delay detection or seek better exploit opportunities in the future.
Embargo uses a network of intermediary wallets, exchanges that pose high risks, and sanctioned platforms, including Cryptos.net, to hide transaction trails and obscure funds. From May through August, TRM Labs said it traced at least $13.5 million stolen by Embargo across various VIRTUAL assets service providers, with more than $1 million moved using Cryptex alone.
While Embargo does not use the aggressive tactic deployed by groups like LockBit or Cl0p, the group has adopted a double extortion tactic. It uses system encryption and threats to leak sensitive data to coerce its victims into paying the ransom. In some other instances, the group has leaked names of individuals involved or the stolen data to show its seriousness and increase pressure.
Emargo goes after high-stakes targets
The group always targets sectors where downtime proves costly to their operations, including industries in sectors like healthcare, manufacturing, and business services. It has also been shown that it has a preference for victims based in the United States, considering the fact that they tend to have the capacity to pay on time, as the downtime may prove costly to their operations.
Meanwhile, the United Kingdom has announced plans to ban ransomware payments for all public sector bodies and critical national infrastructure operators. These sectors include energy, healthcare, and local councils. The proposal will introduce a prevention regime that will require the victims outside the ban to report any intended ransomware payments to the authorities.
The plan also includes a mandatory reporting system where the victims are required to submit an initial report to the government within 72 hours of an attack and a detailed follow-up in the next 28 days.
According to a previous Chainalysis report, Ransomware attacks dropped about 35% last year. The report claimed that it was the first time since 2022 that revenues from ransomware dropped that much. The report, which was released in February, mentioned that despite the drop, users still lost more than $800 million to the criminals. Chainalysis claimed that the causes of the drop included increased law enforcement actions, improved international collaboration, and a growing refusal by victims to pay.
KEY Difference Wire helps crypto brands break through and dominate headlines fast
