The Department of Justice (DoJ) said it has seized over $2.8 million in cryptocurrency from a wallet owned by the operator of the Zeppelin ransomware.

The seizure announcement is part of an indictment by the DoJ against the alleged Zeppelin ransomware operator, Ianis Aleksandrovich Antropenko. The DoJ on Aug. 14 claimed Antropenko used Zeppelin to target a wide array of individuals, businesses, and organizations across the U.S. and worldwide, collectively bringing in the millions of dollars in cryptocurrency.

According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Zeppelin ransomware as-a-service was used since at least 2019 to target critical infrastructure firms like defense contractors, manufacturers, and healthcare and medical organizations. In 2022, reports said that the founder of a cybersecurity consulting firm (Unit221B) had found several flaws in the malware’s encryption scheme, allowing him to crack the ransomware’s encryption, and incidents tied to the ransomware died down since then. Zeppelin is derived from the Delphi-based Vega malware family, and when it was active its related incidents involved various TTPs, with initial access vectors ranging from RDP exploitation and phishing to exploitation of SonicWall firewall flaws, according to CISA’s 2022 advisory. 

The DoJ announcement, part of six warrants unsealed last week by a handful of U.S. district courts, also includes the seizure of $70,000 in cash - and, of course, a luxury vehicle. It also sheds light on some of the behind-the-scenes ways Antropenko was allegedly laundering his proceeds. One such way was through ChipMixer, a darknet cryptocurrency mixer that, before it was taken down in 2023, was responsible for processing over $3 billion in illegal transactions. Additionally, Antreopenko exchanged cryptocurrency for cash before depositing the cash in structured cash deposits.

Mixing services (also known as tumblers) like ChipMixer are vital for facilitating various types of cybercrime, including ransomware, fraud and cryptocurrency heists. These services help conceal crypto transactions, which makes it hard for law enforcement to trace specific transactions back to specific people. Some of the more infamous crypto mixers have been used on the backend of operations for state-sponsored groups - like Tornado Cash being used by the Lazarus Group.

U.S. authorities have made some headway in their ability to track and seize illicit cryptocurrency funds from various crimes, although it’s difficult as threat actors use various tactics even beyond mixers, including chain hopping (where cryptocurrency is converted and funds are moved across blockchains in rapid succession, to further hinder tracking). A month after the 2021 Colonial Pipeline attack, the DoJ was able to seize a large portion (63.7 bitcoins, valued at $2.3 million at the time) of the total ransom (75 bitcoins) paid in the attack. And in 2022, the DoJ seized $3.6 billion in Bitcoin connected to the 2016 Bitfinex attack.

Antropenko is being charged in the Northern District of Texas for conspiring to commit computer fraud and abuse, computer fraud and abuse, and conspiracy to commit money laundering.

Note: Cisco and Duo are no longer affiliated with Decipher.  All opinions and content provided here from April 11 are solely that of Decipher and do not reflect opinions or content of Cisco Systems, Inc. or any of its affiliates.

  • Recent Posts

  • Recent Comments

    No comments to show.