FBI seizes over $2.3 million in Bitcoin from Chaos ransomware affiliate in Texas

The FBI’s Dallas Field Office has confiscated more than $2.3 million in cryptocurrency linked to a ransomware affiliate known as “Hors,” believed to be part of the emerging Chaos ransomware operation. The seizure, which took place on April 15, 2025, involved approximately 20.29 Bitcoin tied to cyberattacks and extortion payments from businesses based in Texas.

According to an FBI announcement, the cryptocurrency was traced to a specific address allegedly controlled by Hors, a suspected member of the Chaos group responsible for multiple ransomware attacks within the Northern District of Texas and beyond. The funds were secured from the address bc1q5d8af0crjhlnepjq08muhh55899rf2ktye3sxd.

On July 24, 2025, the U.S. Department of Justice filed a civil forfeiture complaint in federal court to gain permanent possession of the seized Bitcoin, which has appreciated in value to more than $2.4 million. Civil forfeiture enables authorities to pursue property believed to be connected to criminal conduct without requiring a criminal conviction.

The operation behind the seizure is linked to a newer version of the Chaos ransomware group, which researchers believe is a rebrand of the BlackSuit ransomware gang. This newer Chaos collective is distinct from an earlier, less sophisticated malware strain bearing the same name that was active in underground forums in 2021.

Cybersecurity analysts at Cisco Talos have pointed to strong technical similarities between BlackSuit and the new Chaos ransomware, citing overlapping encryption methods, ransom note formats, and hacking tools. These connections suggest a direct evolution of tactics and infrastructure following mounting law enforcement scrutiny of BlackSuit, particularly after its alleged involvement in a high-profile 2023 cyberattack on the City of Dallas.

BlackSuit itself is considered to have emerged from the remnants of the Conti ransomware syndicate, which disbanded in 2022 following a damaging internal data leak. That fragmentation gave rise to several successor groups, including Royal (Quantum), which eventually transitioned into BlackSuit.

Although the FBI and DOJ have not officially confirmed whether Hors belonged to the BlackSuit-aligned version of Chaos, cybersecurity sources familiar with the case assert that the seized funds are linked to the newer operation. The seizure may have been part of a broader investigation that recently resulted in the takedown of BlackSuit’s dark web extortion infrastructure.