FBI Dallas has seized approximately 20 Bitcoins from a cryptocurrency address belonging to a Chaos ransomware member that is linked to cyberattacks and extortion payments from Texas companies.
The crypto was seized on April 15, 2025, and was traced to an affiliate named “Hors,” who is suspected of launching the attacks against the companies.
“The seized funds were traced to a cryptocurrency address allegedly associated with a member of the Chaos ransomware group, known as ‘Hors,’ who has been tied to ransomware attacks against victims here in the Northern District of Texas and elsewhere,” reads the FBI’s announcement.
“As the result of the actions, 20.2891382 BTC was seized (now valued at over $2.3 million) from cryptocurrency address bc1q5d8af0crjhlnepjq08muhh55899rf2ktye3sxd on April 15, 2025.”
The U.S. Department of Justice released an announcement informing that, on July 24, 2025, it filed a civil complaint seeking the forfeiture of the amount the FBI seized, which is now valued at over $2,400,000.
Civil forfeiture allows the government to file a complaint directly against the property, seeking to take permanent ownership of assets believed to be connected to criminal activity, in this case, ransomware.
Chaos ransomware revival
The cryptocurrency was seized from the relatively new Chaos ransomware operation that is believed to be a rebrand of the BlackSuit ransomware group.
Although the name is the same as a low-tier ransomware variant whose builder has been used by cybercriminals since mid-2021, the new Chaos gang has no links to this older variant.
The new Chaos ransomware operation stems from the notorious Conti ransomware gang, which suffered a data breach and shut down in June 2022. Its members then splintered into numerous other ransomware gangs.
In January 2023, the Royal (Quantum) ransomware gang was launched, which was believed to be the direct successor to the notorious Conti operation.
In June 2023, after feeling pressure from law enforcement for the attack on the City of Dallas, Texas, the Royal ransomware operation began testing a new BlackSuit encryptor, eventually rebranding as BlackSuit.
Cisco Talos researchers believe the new Chaos ransomware is a rebrand of BlackSuit based on similarities in the encryption, ransom note structure, and the toolset used in the attacks.
While the U.S. DOJ and FBI have not explicitly distinguished which Chaos group ‘Hors’ belonged to, BleepingComputer confirmed that the Bitcoin seizure is linked to the new Chaos operation.
As the BlackSuit ransomware operation had its dark web extortion sites seized by law enforcement last week, it’s possible that the law enforcement investigation uncovered this cryptocurrency wallet as part of the operation.
Contain emerging threats in real time – before they impact your business.
Learn how cloud detection and response (CDR) gives security teams the edge they need in this practical, no-nonsense guide.
