The FBI in Dallas has seized millions of dollars' worth of Bitcoin from a member of the recently assembled Chaos ransomware group. According toFBI Dallas on X, the Bitcoin funds were allegedly owned by Chaos member “Hors,” who has allegedly been responsible for multiple ransomware attacks against victims in the Northern District of Texas, as well as in other locations.
The full amount of Bitcoin the FBI seized was 20.2891382 coins, amounting to almost $2.4 million at the time of writing, from Bitcoin address “bc1q5d8af0crjhlnepjq08muhh55899rf2ktye3sxd” on June 19, 2025. The United States Attorney’s office has since filed a civil complaint in the Northern District of Texas seeking the forfeiture of the 20 Bitcoins to the United States government.
Today, FBI Dallas made public the seizure of over $1.7 million worth of cryptocurrency as part of ongoing efforts to combat ransomware. The seized funds were traced to a cryptocurrency address allegedly associated with a member of the Chaos ransomware group, known as “Hors,” who… pic.twitter.com/uWeIMMGE9JJuly 28, 2025
According to Cisco’s Talos threat intelligence team, Chaosis a new ransomware-as-a-service gangthat allegedly emerged in February 2025. The group is believed to be an offshoot of the BlackSuit ransomware gang, due to their similar methods and tactics. The Chaos group has quickly grown in popularity since its inception and caught the attention of not only the FBI but also large corporations, such as Broadcom, for their double extortion attacks in the U.S, U.K., India, and New Zealand.
According to Talos, the gang provides a ransomware software package that can target Windows, ESXi, Linux, and NAS systems with an alleged emphasis on high-speed encryption and robustsecuritymeasures. When in use, the ransomware software encrypts the host system’s files with the “.chaos” file extension while hiding the encryption process under false pretenses. The software provides a ransom note claiming the software attempted to perform security testing and successfully compromised the system.
Members of Chaos will also threaten victims with the disclosure of stolen confidential data if they don’t pay the ransom after breaching a victim’s machine. Confusingly, the gang doesn’t leave initial ransom or payment instructions; instead, they provide a Tor onion URL for the victim to contact the actor. If the victim contacts the actor and pays the ransom, the actor will decrypt any files Chaos' software encrypted and supposedly permanently delete any stolen data. If the ransom is not paid, the actor will threaten to conduct DDoS attacks on the victim’s public-facing services and publish any sensitive data that might have been captured.
The gang might have hoped that using cryptocurrency as a means of extorting its victims would offer some degree of anonymity for its activities, but as the FBI’s seizure of at least some of its assets shows, such measures alone don’t provide airtight cover in the world of cybercrime.
FollowTom’s Hardware on Google Newsto get our up-to-date news, analysis, and reviews in your feeds. Make sure to click the Follow button.
Get Tom’s Hardware’s best news and in-depth reviews, straight to your inbox.
Aaron Klotz is a contributing writer for Tom’s Hardware, covering news related to computer hardware such as CPUs, and graphics cards.
