$34 million in crypto payments traced to Embargo ransomware group: report
A ransomware outfit known as Embargo has processed about $34.2 million in cryptocurrency since emerging in April 2024, with victims concentrated in the United States and spanning healthcare, business services, and manufacturing, blockchain intelligence firm TRM Labs said in a report.TRM surmises Embargo is likely a rebrand or successor to the BlackCat/ALPHV ransomware operation, citing technical overlaps such as Rust-based malware, a similar leak-site design, and onchain links through shared wallet infrastructure.The group’s known targets include American Associated Pharmacies, Memorial Hospital and Manor in Georgia, and Weiser Memorial Hospital in Idaho, where ransom demands reached as high as $1.3 million, TRM stated.Where the money wentTRM traced ransom payments in crypto from victim pay addresses through intermediary wallets to high-risk exchanges, peer-to-peer marketplaces, mixing services, and a now-sanctioned platform, Cryptex.net.Investigators identified hundreds of deposits totaling about $13.5 million into global virtual asset service providers and roughly 17 deposits totaling just over $1 million via Cryptex.net. Embargo appears to use mixers sparingly, as TRM flagged only two deposits into the Wasabi service. Meanwhile, about $18.8 million remains idle in unattributed addresses, a tactic investigators say cybercriminals use to disrupt tracing or await more favorable cash-out conditions.The report adds that Embargo’s ransomware-as-a-service model and subdued branding have helped it scale while avoiding attention, and that the group may be experimenting with AI and machine learning to sharpen phishing lures and mutate malware.The findings are a reminder that crypto payments and loosely regulated offshore exchanges still sometimes enable large-scale ransomware operations, even as enforcement pressure rises.Last year, The Block reported that Dark Angels extracted a $75 million bitcoin payment in a single attack, the largest known ransomware ransom at the time. However, data also shows increased crypto exchange crackdowns and higher refusal-to-pay rates have decreased ransomware proceeds. Total ransomware extortion fell 35% in 2024 to $813 million, down from $1.25 billion the previous year, according to Chainalysis.Disclaimer: The Block is an independent media outlet that delivers news, research, and data. As of November 2023, Foresight Ventures is a majority investor of The Block. Foresight Ventures invests in other companies in the crypto space. Crypto exchange Bitget is an anchor LP for Foresight Ventures. The Block continues to operate independently to deliver objective, impactful, and timely information about the crypto industry. Here are our current financial disclosures.© 2025 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.