A ransomware group calling itself Embargo has processed roughly $34.2 million in cryptocurrency since it emerged in April 2024, with most victims based in the United States and spread across healthcare, business services and manufacturing, according to a report from blockchain intelligence firm TRM Labs.
The firm says the group is likely linked to the earlier BlackCat or ALPHV operation, based on shared code traits, a similar leak-site setup and onchain wallet ties.
Links to BlackCat and ALPHV
Ransom payments flowed through intermediary wallets to exchanges, peer-to-peer markets, mixing services, and a platform now sanctioned, Cryptex.net.
TRM points to technical overlap with older ransomware groups. The malware is written in Rust, a language also used by BlackCat. The report notes a close match in how the group runs its leak site.
Onchain traces show wallet infrastructure that ties back to the earlier operation. Taken together, the evidence suggests Embargo may be a rebrand or a successor group.
Targets and ransom demands
The report names several U.S. victims, and they include American Associated Pharmacies and hospitals such as Memorial Hospital and Manor in Georgia, and Weiser Memorial Hospital in Idaho.
One ransom demand even reached $1.3 million. TRM says the attacks hit a mix of health providers and private firms, showing a broad target set rather than a single industry focus.
How did the money move?
TRM tracked funds from victim pay addresses into a web of intermediary wallets. From there, funds moved to high-risk exchanges, peer-to-peer platforms, mixers and Cryptex.net.
Investigators logged hundreds of deposits totalling about $13.5 million into virtual asset service providers around the world. About 17 deposits, just over $1 million in total, were routed through Cryptex.net before it faced sanctions.
Also Read: Binance Partners With Philippine Authorities To Trace $3.75M Crypto Ransom
Use of mixers and idle funds
The group appears to use mixers only sparingly. TRM found just two deposits into the Wasabi mixing service. A larger sum, about $18.8 million, sits in unattributed addresses.
TRM suggests criminals use such idle holdings to disrupt tracing or to wait for better cash-out options. Holding funds in unlinked addresses can slow investigators and complicate law enforcement efforts.
Ransomware-as-a-service and stealth
TRM describes Embargo as operating a ransomware-as-a-service model. That approach lets affiliates deploy attacks while the core operators take a cut. The group keeps its public profile low as it uses subdued branding and limited noise to grow quietly.
TRM also warns that Embargo may be testing AI and machine learning. Those tools could improve phishing lures or help mutate malware to avoid detection.
Broader trends in ransomware revenues
The findings arrive as ransomware proceeds have fallen from 2023 levels. Chainalysis reports total extortion dropped 35% in 2024 to $813 million, down from $1.25 billion the year before.
TRM’s work shows that despite the drop, major operations still move large sums. Loosely regulated exchanges, offshore platforms and weak oversight can still help cybercriminals cash out.
Enforcement and limits
TRM’s tracing highlights where pressure can be applied. Sanctions on platforms such as Cryptex.net show one way to choke off cash-out routes. It also shows the limits of those measures when criminals spread funds across many services.
Greater coordination among exchanges, regulators and law enforcement could reduce the paths available to attackers.
Also Read: US Government Pursues Legal Claim on $2.4 Million in Bitcoin Seized from Ransomware Group By The FBI