DOJ pursues $2.3M in Bitcoin recovered from a suspected ‘Chaos’ ransomware operator

Federal prosecutors have launched a forfeiture action to claim $2.3 million in Bitcoin allegedly tied to a ransomware actor from the newly identified Chaos group. According to a July 28 press release from the US Attorney’s Office for the Northern District of Texas, the Department of Justice filed a civil complaint seeking the forfeiture of approximately 20.3 Bitcoin. The FBI’s Dallas Division originally seized the Bitcoin in question in mid-April from a wallet linked to an individual known as “Hors,” who is alleged to be a member of the Chaos ransomware group. Authorities claim the funds are connected to schemes that targeted victims in the Northern District of Texas and other regions, and constitute property involved in or derived from “unlawful activity, including money laundering and extortion” related to ransomware attacks. Law enforcement reportedly accessed the wallet using a recovery seed phrase associated with Electrum, an older Bitcoin wallet platform. However, the government has not disclosed how the seed phrase was obtained. According to court documents, federal agents successfully transferred the seized funds to a government-controlled address. At the time of the seizure in April, the Bitcoin was worth approximately $1.7 million. By the time the complaint was filed in late July, the value had increased to over $2.4 million. New entrant in the ransomware market Chaos is a newly identified ransomware-as-a-service operation that has been active since at least February 2025. The group was first documented by cybersecurity firm Cisco Talos, which has warned of its cross-platform capabilities that allow it to target systems running Windows, Linux, ESXi, and NAS systems. Like other RaaS models, Chaos licenses its malware to affiliates in exchange for a share of the ransom payments. Victims are typically pressured into paying in cryptocurrency to regain access to encrypted files or to prevent the public release of stolen data. Despite sharing its name with a well-known ransomware builder, Chaos appears to be a separate group entirely. Researchers believe the threat actors behind the ransomware campaign may be intentionally leveraging the name to obscure attribution and make tracking efforts more difficult. The alias “Hors” is believed to represent one of several active participants using the Chaos platform. A busy month for the DOJ Earlier this month, the DOJ filed a similar civil forfeiture action to recover more than $7 million in cryptocurrency seized by Homeland Security as part of an investigation into a $97 million oil and gas investment scam. The funds were allegedly laundered through wallets linked to suspects in Russia and Nigeria and routed through offshore exchanges. Also in July, the DOJ disclosed that it had collaborated with Tether to recover $40,300 in USDT linked to a phishing scam that impersonated the Trump-Vance Inaugural Committee. The post DOJ pursues $2.3M in Bitcoin recovered from a suspected ‘Chaos’ ransomware operator appeared first on Invezz