DOJ Strikes Back: $2.3M in Bitcoin Seized from Notorious Chaos Ransomware Gang
The U.S. Department of Justice just dropped the hammer—cracking down on cybercriminals where it hurts: their crypto wallets. Here’s the breakdown.
The Takedown: Federal prosecutors moved to claw back $2.3 million in Bitcoin tied to the Chaos Ransomware syndicate. No polite subpoenas—just a forfeiture action straight out of a crypto noir thriller.
Why It Matters: Ransomware gangs love Bitcoin’s pseudonymity… until blockchain forensics turns their ‘untraceable’ myth to dust. Another win for chain analysis—and another blow to cybercriminals pretending crypto is their get-out-of-jail-free card.
The Irony: Hackers demanded payment in ‘hard-to-trace’ Bitcoin… only for the DOJ to trace it effortlessly. Maybe next time they’ll try gift cards. (Wall Street bankers nodding sagely—‘See? Even criminals prefer decentralized finance.’)
What does the DOJ allege?
Federal prosecutors claim the seized bitcoin constitutes property involved in unlawful activity, or proceeds derived from offenses including money laundering and extortion related to attacks on protected computers—more commonly known as ransomware attacks.
They allege that Hors targeted victims in the Northern District of Texas and other jurisdictions, and pressured victims into paying by encrypting sensitive data on the victim’s devices and demanding cryptocurrency payments in return for restoring access and withholding leaks.
Authorities reportedly used a recovery seed phrase associated with Electrum, an older Bitcoin wallet platform, to access the seized funds. However, the exact technical details were not disclosed in the public filing.
According to court documents, federal agents were able to access the wallet and subsequently MOVE the funds to a government-controlled address. The DOJ has also refrained from detailing the evidence linking the Bitcoin to Hors.
When the cryptocurrency was seized in April, it was worth around $1.7 million but had appreciated to over $2.4 million by the time the complaint was filed.
What is the Chaos ransomware group?
According to Cisco Talos, Chaos is structured as a ransomware-as-a-service (RaaS) network.
This model allows other criminals to purchase or lease access to ransomware tools developed by the group in exchange for a share of the ransom profits. The software is marketed as cross-platform and can be used to destroy backups and exfiltrate sensitive information.
While Chaos shares its name with an existing ransomware builder, researchers believe the two are unrelated. Instead, the group appears to be deliberately taking advantage of the name to complicate attribution and mask the identities of its operators.
Chaos is believed to be active since at least February 2025, and is known to target both individuals and businesses.
Authorities have not revealed the total number of attacks carried out by the group, nor the cumulative ransom demands involved. However, Hors is believed to be one of several active members using the Chaos platform.
DOJ’s recovery efforts
Over the past months, the Department of Justice has been working closely with law enforcement agencies and blockchain firms to recover millions in stolen or laundered cryptocurrency.
Earlier this month, the DOJ credited stablecoin issuer Tether with helping recover $40,300 in USDT tied to a scam impersonating the Trump-Vance Inaugural Committee. Similarly, in June, the department filed a civil complaint to seize over $225 million in Tether (USDT) tied to a major pig butchering scam.
One of the largest cases to date remains the DOJ’s recovery of over $9 billion in Bitcoin from the 2016 Bitfinex hack. The assets, once considered lost, were traced and seized following years of investigation.
In a court filing earlier this year, the DOJ confirmed that the majority of the recovered funds WOULD be returned to the exchange itself.
