DOJ launches forfeiture action to recover $2.3m in Bitcoin tied to Chaos Ransomware group

The U.S. Department of Justice has launched a forfeiture action to recover nearly $2.3 million worth of Bitcoin tied to a new ransomware group dubbed Chaos.

Chaos is a recently identified ransomware-as-a-service operation. First spotted in early 2025 by researchers at Cybersecurity firm Cisco Talos, the group is known for targeting victims across multiple platforms—including Windows, Linux, ESXi, and NAS systems—and extorting payments by encrypting files and threatening to leak sensitive data.

According to the official press release, the United States Attorney’s Office for the Northern District of Texas filed a civil complaint last Thursday, July 24, seeking the forfeiture of 20.2891382 Bitcoin. 

The cryptocurrency, worth over $2.3 million at the time of filing, was seized by the FBI’s Dallas division on April 15, 2025. It was traced to a wallet allegedly associated with a Chaos group member known only by the alias “Hors.”

What does the DOJ allege?

Federal prosecutors claim the seized Bitcoin constitutes property involved in unlawful activity, or proceeds derived from offenses including money laundering and extortion related to attacks on protected computers—more commonly known as ransomware attacks. 

They allege that Hors targeted victims in the Northern District of Texas and other jurisdictions, and pressured victims into paying by encrypting sensitive data on the victim’s devices and demanding cryptocurrency payments in return for restoring access and withholding leaks.

Authorities reportedly used a recovery seed phrase associated with Electrum, an older Bitcoin wallet platform, to access the seized funds. However, the exact technical details were not disclosed in the public filing.

According to court documents, federal agents were able to access the wallet and subsequently move the funds to a government-controlled address. The DOJ has also refrained from detailing the evidence linking the Bitcoin to Hors.

When the cryptocurrency was seized in April, it was worth around $1.7 million but had appreciated to over $2.4 million by the time the complaint was filed.

What is the Chaos ransomware group?

According to Cisco Talos, Chaos is structured as a ransomware-as-a-service (RaaS) network.

This model allows other criminals to purchase or lease access to ransomware tools developed by the group in exchange for a share of the ransom profits. The software is marketed as cross-platform and can be used to destroy backups and exfiltrate sensitive information.

While Chaos shares its name with an existing ransomware builder, researchers believe the two are unrelated. Instead, the group appears to be deliberately taking advantage of the name to complicate attribution and mask the identities of its operators. 

Chaos is believed to be active since at least February 2025, and is known to target both individuals and businesses. 

Authorities have not revealed the total number of attacks carried out by the group, nor the cumulative ransom demands involved. However, Hors is believed to be one of several active members using the Chaos platform.

DOJ’s recovery efforts

Over the past months, the Department of Justice has been working closely with law enforcement agencies and blockchain firms to recover millions in stolen or laundered cryptocurrency.

Earlier this month, the DOJ credited stablecoin issuer Tether with helping recover $40,300 in USDT tied to a scam impersonating the Trump-Vance Inaugural Committee. Similarly, in June, the department filed a civil complaint to seize over $225 million in Tether (USDT) tied to a major pig butchering scam.

One of the largest cases to date remains the DOJ’s recovery of over $9 billion in Bitcoin from the 2016 Bitfinex hack. The assets, once considered lost, were traced and seized following years of investigation.

In a court filing earlier this year, the DOJ confirmed that the majority of the recovered funds would be returned to the exchange itself.