The U.S. Department of Justice (DoJ) announced the seizure of more than $2.8 million in cryptocurrency from suspected ransomware operator Ianis Aleksandrovich Antropenko.
Antropenko, indicted in Texas for computer fraud and money laundering, was linked to Zeppelin ransomware, a now-defunct extortion operation that ran between 2019 and 2022.
Apart from the digital asset seizure, the authorities also confiscated $70,000 in cash and a luxury vehicle.
“Antropenko used Zeppelin ransomware to target and attack a wide range of individuals, businesses, and organizations worldwide, including in the United States,” reads the U.S. DoJ announcement.
“Specifically, Antropenko and his coconspirators would encrypt and exfiltrate the victim’s data, and typically demand a ransom payment to decrypt the victim’s data, refrain from publishing it, or to arrange the data’s deletion.”
After receiving the ransom payments, Antropenko attempted to launder the amounts on the coin tumbling service ChipMixer, seized by authorities in March 2023.
Other money laundering methods Antropenko used include crypto-to-cash exchanges and structured deposits, meaning breaking large sums into smaller deposits to avoid bank reporting rules.
The Zeppelin ransomware came into existence in late 2019 as a new variant of the VegaLocker/Buran ransomware, targeting healthcare and IT firms through MSP software flaws.
In 2021, following a period of dormancy, Zeppelin operators returned with updated versions, though the encryption scheme used in subsequent attacks indicated sloppiness.
By November 2022 the Zeppelin operation was essentially defunct. It was revealed at that time that security researchers from Unit221b had the decryption key to help victims recover files for free since early 2020.
In January 2024, news came out suggesting that the Zeppelin ransomware source code was sold on a hacking forum for just $500.
The indictment against Antropenko shows that evidence can lead to unmasking ransomware operators even years after halting their cybercriminal activities.
The seizure of the $2.8 million believed to be from ransom proceeds follows other similar actions that the U.S. authorities announced recently, including the confiscation of cryptocurrency worth $1 million from BlackSuit ransomware and $2.4 million worth of Bitcoin from Chaos ransomware.
Seizing crime proceeds is vital in the fight against ransomware, especially in cases where no arrests are made, as it prevents operators and affiliates from using those funds to rebuild infrastructure or recruit new members.
46% of environments had passwords cracked, nearly doubling from 25% last year.
Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.
