Overview

• TRM Labs reports that Embargo has amassed $34.2 million in cryptocurrency ransoms by targeting high-value U.S. healthcare, business services and manufacturing since April 2024.
• Roughly $18.8 million of the group’s proceeds remain parked in unattributed wallets, suggesting a deliberate tactic to evade blockchain tracing.
• Embargo operates as a ransomware-as-a-service platform, leasing its Rust-based malware to affiliates who deploy double extortion schemes against critical sectors.
• On-chain analysis reveals ties to the defunct BlackCat/Alphv collective through shared wallet clusters and nearly identical data leak site designs.
• Investigators have traced funds through Cryptex.net, high-risk exchanges and intermediary wallets, prompting proposals to ban payments for critical infrastructure and enforce rapid reporting requirements.