U.S. law enforcement officials have seized more than $2.8 million in cryptocurrency that they say belonged to a man who collected the digital assets through attacks using the Zeppelin ransomware.
The Justice Department (DOJ) also seized $70,000 in cash and a luxury vehicle belonging to Aleksandrovich Antropenko, who was indicted on a range of charges, including computer fraud and abuse and conspiracy to commit computer fraud and abuse and money laundering.
According to the DOJ, Antropenko and unnamed co-conspirators used the Russian Zeppelin ransomware, which is considered defunct, in attacks inside and outside of the United States, running double-extortion operations where they not only decrypted a target’s data but also stole the data, threatening to publish it.
Antropenko allegedly laundered the crypto used to pay ransoms through the ChipMixer crypto operation, which was taken down by international authorities in 2023. According to the indictment, he also laundered crypto by exchanging it for cash and then depositing the cash in structured cash deposits.
The seizure of the crypt and cash was included in six federal warrants unveiled by courts in California, Virginia, and Texas.
Follows Chaos, BlackSuit Seizures
The indictment of Antropenko and the seizure of the crypto and cash comes less than a month after the DOJ seized almost $2.4 million in Bitcoin from a member of the Chaos ransomware group known as “Hors” for attacks in the United States and elsewhere and, in another operation, shut down the BlackSuit ransomware operation, seizing more than $1 million worth of crypto.
The Zeppelin ransomware arose in 2019, targeting a range of industries, including tech and healthcare. CISA in 2022 issued an alert about the ransomware, outlining mitigation actions organizations could take. In 2022, the Zeppelin operation reportedly shut down after researchers with cybersecurity company Unit221B created a decryption key that would enable victims to recover their files for free.
In a blog post at the time, Unit221b researchers wrote that they were motivated to create the decryptor by Zeppelin attackers’ targeting of homeless shelters, nonprofits and charity organizations. These senseless acts of targeting those who are unable to respond are the motivation for this research, analysis, tools, and blog post.”
In an update posted to the blog in July, they wrote that Unit221b is “no longer taking inquiries for assistance with Zeppelin decryption. Further updates will be provided here if we craft a playbook for handling attacks in the future.”
Dead or Alive?
The Zeppelin ransomware was said to be defunct after the publicizing of the decryptor. However, researchers with Picus Security wrote in late 2023 about a new variant of the malware. They noted that after the threat first hit the scene in 2019, the operators released several variants – including Vega, Jamper, Storm, and Buran – that were distributed via a ransomware-as-a-service (RaaS) model. The variants were based on the same code and came with similar features, but each was different.
They wrote of a “latest variant Zeppelin” that was “highly configurable and can be deployed in different forms such as executable, DLL, or wrapped in PowerShell loader” and that it was continuing its use of double extortion in its attacks.
In 2024, reports surfaced of a threat actor selling the source code and a cracked builder for Zeppelin2 for $500 on the Russian hacking forum called RAMP, which could lead to the buyer reviving the ransomware.
Researchers with cybersecurity vendor Keepnet Labs in early 2024 wrote about a “troubling comeback” by the ransomware, which was armed by a new multi-encryption tactic in which multiple instances of the ransomware are used in attacks, with each using unique file identifiers and extensions.
“This approach forces victims to acquire multiple decryption keys, greatly complicating the recovery process,” they wrote.
