news

$34M in Crypto Traced to Embargo as Ransomware Evolves With New Tactics

Nahid
Published: August 11, 2025
(Updated: August 11, 2025)
4 min read
$34M in Crypto Traced to Embargo as Ransomware Evolves With New Tactics

STAY UPDATED WITH COTI

Follow COTI across social media platforms to get the latest news, updates and community discussions.

X IconFollow on XTelegram IconJoin Telegram
Facebook
Instagram
LinkedIn
YouTube

TL;DR

  • Blockchain forensics firm TRM Labs says ransomware group Embargo has processed about $34.2M in crypto since April 2024.
  • Embargo's victims are mostly in the U.S., targeting healthcare, business services, and manufacturing.
  • Evidence points to the group being a rebrand or successor to the notorious BlackCat/ALPHV gang.
  • Ransom demands have reached $1.3M for a single attack.
  • Funds flowed through high-risk exchanges, P2P markets, mixing services, and sanctioned platforms like Cryptex.net.

According to a new report from blockchain intelligence firm TRM Labs, a group calling itself Embargo has quietly processed more than $34 million in cryptocurrency since it appeared in April 2024. The firm says the group's victims have been concentrated in the United States, with a focus on healthcare, business services, and manufacturing-sectors where downtime can be crippling.

TRM's analysis suggests that Embargo may not be entirely new. Investigators note technical overlaps with the BlackCat/ALPHV ransomware operation, which U.S. authorities targeted in late 2023. Similarities include malware built in the Rust programming language, a near-identical leak site design, and shared wallet infrastructure on-chain.

Ransomware's Latest Victims

Embargo's known victims include American Associated Pharmacies, Memorial Hospital and Manor in Georgia, and Weiser Memorial Hospital in Idaho. In some cases, ransom demands reached $1.3 million, underscoring the group's willingness to push for high payouts.

Healthcare remains a prime target for ransomware actors. With patient data, critical systems, and regulatory obligations in play, hospitals often face immense pressure to restore operations quickly-making them more likely to consider paying.

Following the Crypto Trail

The TRM report maps out where the ransom funds went, offering a rare look into how such groups handle their digital takings.

  • $13.5M went to various global virtual asset service providers (VASPs)
  • $1M+ was funneled through Cryptex.net, a platform now under sanctions
  • Only two deposits were flagged to the privacy-focused Wasabi mixer
  • Roughly $18.8M remains idle in unattributed addresses, potentially waiting for a "cash-out" opportunity or serving as a tactic to frustrate tracing efforts

"Embargo retains control over core operations including infrastructure and payment negotiations. This model enables threat actors to rapidly scale their operations and target a broad range of sectors and geographies”. TRM wrote in its blog post on the investigation.

The Ransomware-as-a-Service Model

Like many modern cybercrime outfits, Embargo appears to operate on a Ransomware-as-a-Service (RaaS) model. In RaaS, developers create and maintain ransomware tools, while affiliates carry out the attacks. The profits are then split, typically with the developer taking a percentage.

This setup allows rapid scaling: more attackers can join without having to build malware from scratch, and the core team can continually improve its software. TRM suggests that Embargo has kept a low profile-avoiding flashy branding and public boasts-to reduce attention from law enforcement while still attracting capable affiliates.

Experimenting with AI and Automation

The report also hints at a new frontier: the use of AI and machine learning to sharpen phishing lures and mutate malware. While details are scarce, this could signal an evolution in ransomware tactics, where AI tools help automate the social engineering process and adapt attacks in real-time to bypass security defenses.

This mirrors broader concerns in the cybersecurity community that generative AI could lower the barrier for sophisticated attacks-something regulators and law enforcement agencies are now watching closely.

Why This Matters for Crypto Regulation

The Embargo case is another reminder that crypto still plays a role in enabling large-scale ransomware operations, even as regulators worldwide tighten rules on exchanges and cross-border transfers. High-risk exchanges and peer-to-peer marketplaces-especially those operating offshore-remain weak points in enforcement. While the percentage of crypto transactions linked to illicit activity has dropped over time, the absolute value of ransomware payments remains significant.

The U.S. Treasury, along with its international partners, has been pushing for stronger Know Your Customer (KYC) and Anti-Money Laundering (AML) measures across the virtual asset sector. But as the Embargo investigation shows, gaps remain.

The BlackCat Connection

BlackCat/ALPHV was one of the most active ransomware groups before a coordinated law enforcement operation disrupted its infrastructure. Experts note that rebrands are common after such crackdowns.

The on-chain links between Embargo and BlackCat wallets strengthen the case that this is less a "new" group and more an adaptation-a shift in branding designed to shed legal and reputational baggage while keeping the operation running.

Final Thought

Embargo's rise offers a textbook example of how ransomware evolves-not by inventing entirely new methods, but by iterating on proven ones and hiding in plain sight.

With $34 million already traced to its operations in under a year, and a potential link to one of the most notorious ransomware brands in history, Embargo underscores the ongoing challenge of policing cybercrime in a borderless, blockchain-powered world.

 

Related Topics

#crypto news#Ransomware#BlackCat

About the Project

Altcoins

About the Author

Nahid

Nahid

Based in Bangladesh but far from boxed in, Nahid has been deep in the crypto trenches for over four years. While most around him were still figuring out Web2, he was already writing about Web3, decentralized protocols, and Layer 2s. At CotiNews, Nahid translates bleeding-edge blockchain innovation into stories anyone can understand — proving every day that geography doesn’t define genius.

View all articles

Disclaimer

The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official stance of CotiNews or the COTI ecosystem. All content published on CotiNews is for informational and educational purposes only and should not be construed as financial, investment, legal, or technological advice. CotiNews is an independent publication and is not affiliated with coti.io, coti.foundation or its team. While we strive for accuracy, we do not guarantee the completeness or reliability of the information presented. Readers are strongly encouraged to do their own research (DYOR) before making any decisions based on the content provided. For corrections, feedback, or content takedown requests, please reach out to us at

contact@coti.news

Stay Ahead of the Chain

Subscribe to the CotiNews newsletter for weekly updates on COTI V2, ecosystem developments, builder insights, and deep dives into privacy tech and industry.
No spam. Just the alpha straight to your inbox.

We care about the protection of your data. Read our Privacy Policy.