ransom

According to TMZ, 84-year-old Nancy Guthrie was kidnapped from her home in Tucson, Arizona, on February 1, with blood left at the scene. The kidnappers sent a ransom note to TMZ and two local television stations, demanding a ransom of 6 million dollars in Bitcoin.Law enforcement released images of a suspect on February 10, showing a man wearing a ski mask and carrying a handgun tampering with the doorbell camera. Investigations suggest that the kidnappers may be from the Tucson area, with an activity range within a 700-mile radius of Tucson.The latest breakthrough is the first activity in the Bitcoin account specified in the ransom note. Despite two ransom deadlines having passed, "TODAY" host Savannah Guthrie is still attempting to contact the kidnappers and is willing to pay the ransom. Nancy needs a heart pacemaker and daily medication, and the FBI is offering a $50,000 reward for information.

According to reports from Cover News citing Malaysian media, recently, 7 local Malaysian police officers, along with 5 men, broke into a residence in Kajang, Selangor late at night, intimidating and extorting Chinese tourists, ultimately forcing the victims to transfer approximately 200,000 ringgit (about 352,000 yuan) via cryptocurrency. After the police launched an investigation, they acted swiftly and successfully arrested the involved officers.Sources revealed that the incident occurred around 11 PM at a residence in Country Heights, Kajang. That night, 8 Chinese tourists were resting inside when they were suddenly confronted by 12 men who broke in, some of whom were wearing reflective police vests and displayed police identification, claiming to be officers. The police have classified this case as armed robbery and have initiated an investigation under Section 395 of the Penal Code. Meanwhile, the police will apply for a remand order from the local court to assist in further investigations.

In the investigation of the disappearance of Savannah Guthrie's mother, Nancy Guthrie, on the "TODAY" show, a ransom email demanding millions of dollars in Bitcoin has emerged. The gossip news site TMZ reported receiving this ransom email, which included a Bitcoin address, a deadline, and threatening content.Nancy Guthrie went missing from her home in Arizona on January 31, and the police are treating the case as a "possible kidnapping." In recent years, the use of cryptocurrency in kidnapping and ransom cases has been on the rise, with a record 72 violent wrench attacks targeting cryptocurrency holders globally in 2025, a 75% increase from 2024.

According to Criptonoticias, the city government of Sanxenxo in the Galicia region of Spain suffered a ransomware attack, with hackers encrypting thousands of administrative documents and blocking system access, demanding a ransom of $5,000 in Bitcoin.The attack occurred on January 26, causing the municipal servers to completely crash, affecting the operation of essential services in the city, which has over 17,000 residents. The city government has reported the incident to the Spanish Civil Guard, refused to pay the ransom, and stated that it is enabling daily backups to restore the system.

According to India Today, the Indian Enforcement Directorate has arrested two individuals related to the BitConnect cryptocurrency scam, which involves global fraud, kidnapping, and extortion, with amounts reaching thousands of bitcoins and tens of millions of rupees in cash.The arrested individuals, Nikunj Pravinbhai Bhatt and Sanjay Kotadia, are suspected of being involved in a kidnapping and extortion case, where the victim was forced to hand over 2,254 bitcoins, 11,000 litecoins, and approximately 1.45 billion rupees in cash. Some of the extorted bitcoins were converted into ETH and USDT and transferred through multiple wallets. The Indian Enforcement Directorate has frozen and seized assets worth approximately 1.9 billion rupees, including cryptocurrency assets, stocks, and cash; to date, the total value of seized or frozen assets in this case is around 21.7 billion rupees. The investigation is still ongoing. The Indian Enforcement Directorate stated that BitConnect presented itself as a high-return investment platform, claiming that its self-developed volatility trading robot could generate returns of up to 40% per month. The agency indicated that these claims are entirely fictitious, aimed at creating a false illusion of growth, including posting about a 1% fictitious daily return rate on its website.

According to a report by Le Parisien, the French cryptocurrency tax reporting platform Waltio announced that it has been extorted by a hacker group called "Shiny Hunters." The group claims to have obtained personal data of approximately 50,000 customers of the platform, most of whom are located in France, and is demanding a ransom for it.Waltio is a company that provides portfolio tracking and tax calculation services for cryptocurrency holders. The company stated that it has reported the incident of "attempted extortion and disruption of automated data processing systems" to the police. The report noted that the hackers allegedly obtained the relevant customers' email and account balance information as early as 2024.

According to Cointelegraph, researchers from the cybersecurity company Group-IB have discovered a ransomware called "DeadLock" that is using Polygon smart contracts to hide itself and rotate proxy addresses.This ransomware was first identified in July last year, and it dynamically updates the command and control infrastructure addresses used to communicate with victims by invoking specific smart contracts. Once a victim is infected and data is encrypted, DeadLock issues a ransom note threatening to sell the stolen data if demands are not met.Researchers pointed out that storing proxy addresses on-chain makes its infrastructure extremely difficult to dismantle, as there is no central server that can be shut down, and blockchain data is permanently retained across global nodes. This method of abusing smart contracts to relay proxy addresses is highly variable. Although DeadLock currently has low exposure and a limited number of known victims, its novel attack techniques still pose a potential threat to organizations that do not take it seriously.

According to monitoring by Group-IB, the ransomware family DeadLock is using Polygon smart contracts to distribute and rotate proxy server addresses to evade security detection.This malware was first discovered in July 2025, embedding JS code that interacts with the Polygon network within HTML files, using an RPC list as a gateway to obtain server addresses controlled by the attacker. This technique is similar to the previously discovered EtherHiding, aiming to leverage decentralized ledgers to construct covert communication channels that are difficult to block. DeadLock currently has at least three variants, with the latest version also embedding the encrypted communication application Session to directly communicate with victims.

According to the U.S. Department of Justice, two American men have pleaded guilty to attacking multiple targets in the U.S. using ALPHV BlackCat ransomware.Ryan Goldberg (40) from Georgia and Kevin Martin (36) from Texas admitted to deploying ALPHV BlackCat ransomware between April and December 2023. Both are professionals in the cybersecurity industry, and they, along with another accomplice, paid 20% of the ransom as a cut to the ALPHV BlackCat administrator to gain access to the ransomware. After successfully extorting approximately $1.2 million in Bitcoin from one victim, the three split 80% of the ransom and laundered it through various means.The two defendants are scheduled to be sentenced on March 12, 2026, and could face up to 20 years in prison.

Recent cybersecurity incidents have severely impacted the South Korean financial sector, as the Qilin ransomware group successfully infiltrated the systems of 28 financial institutions by attacking a managed service provider (MSP), stealing over 1 million documents and 2 TB of data. The attackers have named this incident "Korean Leaks," which was carried out in three waves, primarily targeting South Korean asset management companies.Security experts suspect that this attack may be linked to the North Korean hacker group Moonstone Sleet. When the attackers posted information on the data leak website, they not only demanded a ransom but also claimed to expose "systemic corruption" and "evidence of stock market manipulation," attempting to create panic in the South Korean financial market.

According to The Hacker News, the Qilin ransomware group launched a "Korean Leaks" supply chain attack by breaching the South Korean IT service provider GJTec, resulting in 28 financial companies being affected and over 1 million files totaling 2 TB of data being stolen.Bitdefender's investigation found that this operation is linked to the North Korean-backed APT "Moonstone Sleet," suspected of collaborating with the Russian-speaking Qilin group, aiming to exert pressure on the South Korean financial market.

ChainCatcher news, according to Bitcoin News, the ransomware group "Rhysida" has stolen sensitive data from the Maryland Department of Transportation and is auctioning this data for 30 bitcoins (approximately 3.4 million USD).

ChainCatcher news, Replit CEO stated that North Korean IT remote workers (ITW) are using AI tools to secure remote jobs in the U.S., generating hundreds of millions of dollars for North Korea. On this, blockchain detective ZachXBT responded that North Korean IT remote workers are involved in at least 25 hacking or ransom incidents targeting companies in the cryptocurrency industry. The affected companies are all enterprises in the crypto field.

ChainCatcher news, according to the U.S. Department of Justice, British citizen Thalha Jubair has been charged for participating in at least 120 cyber intrusions and ransomware attacks involving 47 U.S. entities, with a total ransom paid by victims exceeding $115 million.The indictment alleges that 19-year-old Jubair (also known by aliases "EarthtoStar," "Brad," "Austin," etc.) collaborated with a cybercrime group known as "Scattered Spider" to gain unauthorized network access through social engineering techniques, steal and encrypt information, and then extort ransom from victims. The group also targeted U.S. critical infrastructure companies and the U.S. court system. Law enforcement successfully seized approximately $36 million in cryptocurrency when they shut down servers in July 2024. Jubair faces multiple charges including computer fraud, telecommunications fraud, and money laundering, with a maximum sentence of 95 years in prison.

ChainCatcher news reports that according to the latest report released by the AI infrastructure company Anthropic, its AI chatbot Claude is being used by cybercriminals to carry out large-scale cyberattacks, with some ransom amounts reaching up to $500,000.The report points out that despite Claude having "complex" security measures, criminals are still able to bypass restrictions through a social engineering technique known as "vibe hacking." This method leverages AI to manipulate human emotions, trust, and decision-making, allowing attackers with limited technical skills to carry out sophisticated cybercrimes.Cases show that a hacker used Claude to steal sensitive data from at least 17 organizations, including medical, government, and religious entities, and demanded ransom in the form of Bitcoin, ranging from $75,000 to $500,000. Additionally, Claude has also been used to assist North Korean IT workers in faking identities, passing technical tests, and obtaining remote positions at top U.S. tech companies, with the income being used to support the North Korean regime.

ChainCatcher news, a so-called reward of $50,000 from the European Union Agency for Law Enforcement Cooperation (Europol) to track down the administrators of the Russian ransomware gang Qilin, is actually just a Telegram scam. This false reward message has deceived several cybersecurity news outlets, leading them to mistakenly believe that Europol would pay a reward to anyone who could provide information about the two Qilin administrators, Haise and XORacle.It is claimed that these two are responsible for "coordinating affiliate organizations and overseeing ransomware activities," and Europol is seeking intelligence that could "directly lead to the identification or location of these administrators."However, Europol confirmed to Security Week that this so-called reward is actually a "scam," and the agency has never issued such a reward.

ChainCatcher News, the U.S. Department of Justice announced that after unsealing six search warrants in federal courts in Virginia, California, and Texas, over $2.8 million in cryptocurrency, $70,000 in cash, and a luxury car were seized. These assets are allegedly related to the ransomware proceeds laundered by Ianis Aleksandrovich Antropenko, who is currently facing charges in the Northern District of Texas.According to the indictment, Antropenko and his associates deployed Zeppelin ransomware to infiltrate victim systems, encrypt data, and steal information, subsequently demanding ransom payments in exchange for decrypting files, preventing leaks, or deleting stolen data. Victims include individuals, businesses, and institutions both domestically and internationally.The search warrants reveal that Antropenko laundered the ransom proceeds through various channels, including the use of ChipMixer—a cryptocurrency mixing service that was dismantled in 2023 by an international law enforcement operation. He also converted cryptocurrency into cash and made incremental deposits into accounts to evade regulation.

ChainCatcher news, according to Decrypt, Texas authorities announced the seizure of $2.8 million in cryptocurrency, $70,000 in cash, and a luxury car from alleged ransomware operator Ianis Antropenko. Antropenko is accused of using Zeppelin ransomware to attack global targets.Data shows that in 2024, losses from cryptocurrency-related crimes in the U.S. reached $9.3 billion, a 66% increase year-on-year. The Department of Justice's Cyber Crime Division stated that it has recovered a total of $350 million in victim funds and prevented over $200 million in potential ransom payments.

ChainCatcher news reports that U.S. and international law enforcement agencies have seized 4 servers, 9 domain names, and approximately $1 million in Bitcoin, which are linked to a notorious Russian ransomware gang accused of attacking hundreds of institutions across critical sectors.The U.S. Department of Justice stated that the operation began on July 24, executed jointly by U.S. agencies along with those from Canada, Germany, Ireland, France, the UK, Ukraine, and Lithuania, targeting infrastructure associated with BlackSuit and Royal ransomware. Investigators believe that these two ransomware variants were developed by the same cybercrime group.Authorities claim that since 2022, the gang has extorted over $500 million in ransom, with a single ransom demand reaching as high as $60 million. It is alleged that they attacked more than 450 victims in the U.S. during this period, including hospitals, schools, police departments, energy companies, and government agencies, illegally profiting at least $370 million.The seized cryptocurrency was valued at $1,091,453 at the time of the seizure, originating from a digital wallet frozen by a trading platform in January 2024. According to court documents, these funds include a portion of Bitcoin ransom paid by a victim in April 2023, totaling $1.45 million.Victims of BlackSuit and Royal are typically required to pay ransoms in Bitcoin through dark web sites. Cybersecurity officials warn that operators of such malware often combine intimidation tactics with sophisticated data theft techniques, making it difficult to recover data without paying the ransom.

ChainCatcher news, according to Cointelegraph, blockchain intelligence company TRM Labs stated that a ransomware group named Embargo has transferred over $34 million in ransom-related cryptocurrency since April. Embargo currently has approximately $18.8 million in cryptocurrency stored in non-affiliated wallets, and experts believe this strategy may be aimed at delaying detection or taking advantage of better money laundering conditions in the future. Embargo operates under a ransomware-as-a-service (RaaS) model, primarily targeting industries with high downtime costs, including healthcare, business services, and manufacturing, and tends to attack victims within the United States, possibly due to their stronger payment capabilities.TRM's investigation suggests that Embargo may be a rebranded version of the notorious BlackCat (ALPHV) group, which disappeared earlier this year amid allegations of an exit scam. Although Embargo is not as overtly aggressive as LockBit or Cl0p, it employs a double extortion strategy: encrypting systems and threatening victims with the release of sensitive data if they do not pay. In some cases, the group publicly names victims or leaks data on its website to increase pressure.