Share this article
BlackCat With a New Name? TRM Says the Ransomware Group May Have Rebranded to Embargo
Roughly $13 million has reached global VASPs, while $18.8 million sits idle in unattributed wallets — likely to slow detection and await more favorable movement conditions.
Updated Aug 11, 2025, 12:45 p.m. Published Aug 11, 2025, 12:32 p.m.
What to know:
- Ransomware group Embargo has generated over $34 million since April 2024, potentially rebranding from the defunct BlackCat operation.
- The group targets U.S. sectors like healthcare and manufacturing, demanding ransoms as high as $1.3 million.
- Embargo uses double extortion tactics and may be leveraging AI to enhance phishing and reconnaissance efforts.
Ransomware group Embargo has pulled in at least $34.2 million in various tokens since its emergence in April 2024, according to TRM Labs.
The blockchain analytics firm says the ransomware group's infrastructure and coding overlaps suggests it may be a likely rebranding of the defunct BlackCat (ALPHV) operation.
STORY CONTINUES BELOW
Don't miss another story.Subscribe to the Crypto Daybook Americas Newsletter today. See all newsletters
The group operates a ransomware-as-a-service model, providing affiliates with tooling while controlling the infrastructure and negotiations. U.S. healthcare, manufacturing, and business services have been primary targets as sectors where downtime is costly and ransom leverage is high.
Demands have reached $1.3 million, with victims including American Associated Pharmacies and multiple regional hospitals.
In its Monday report, TRM traced on-chain links between historical BlackCat wallets and addresses tied to Embargo victims, alongside off-chain similarities such as Rust-based ransomware builds and near-identical data leak sites. Affiliates appear to operate fluidly between campaigns, a common RaaS pattern.
Funds are typically moved through intermediary wallets into high-risk exchanges and sanctioned platforms like Cryptex.net, bypassing heavy reliance on mixers. Roughly $13 million has reached global VASPs, while $18.8 million sits idle in unattributed wallets — likely to slow detection and await more favorable movement conditions.
Embargo employs double extortion, combining file encryption with data theft and public leak threats. TRM believes the group may be experimenting with AI to scale phishing campaigns, mutate payloads, and speed reconnaissance — tactics increasingly common among ransomware operators.
The targeting bias toward U.S. healthcare mirrors a broader shift in ransomware strategy: hit services where operational disruption risks spill over into public safety, increasing the pressure to pay quickly.
If Embargo is indeed BlackCat under a new name, it would mark yet another high-profile ransomware pivot designed to preserve affiliate networks and payment channels while evading law enforcement focus, keeping crypto as the core rail for ransom settlement and laundering.
Read more: Ransomware Payments Fell 35% in 2024 as More Victims Refuse to Pay: Chainalysis
More For You
What to know:
- As of October 2025, GoPlus has generated $4.7M in total revenue across its product lines. The GoPlus App is the primary revenue driver, contributing $2.5M (approx. 53%), followed by the SafeToken Protocol at $1.7M.
- GoPlus Intelligence's Token Security API averaged 717 million monthly calls year-to-date in 2025 , with a peak of nearly 1 billion calls in February 2025. Total blockchain-level requests, including transaction simulations, averaged an additional 350 million per month.
- Since its January 2025 launch , the $GPS token has registered over $5B in total spot volume and $10B in derivatives volume in 2025. Monthly spot volume peaked in March 2025 at over $1.1B , while derivatives volume peaked the same month at over $4B.
More For You
Coinbase Sees Crypto Recovery Ahead as Liquidity Improves and Fed Rate Cut Odds Climb
The crypto exchange also took note of a so-called AI bubble that continues to go strong and a weaker U.S. dollar.
What to know:
- Coinbase Institutional is seeing a potential December recovery in crypto, citing improving liquidity and a shift in macroeconomic conditions that could favor risk assets like bitcoin.
- The firm's optimism is driven by rising odds of Federal Reserve rate cuts, with markets pricing in a 93% chance easing next week, and improving liquidity conditions.
- Several recent institutional developments, including Vanguard's crypto ETF policy reversal and Bank of America's greenlighting of crypto allocations, have contributed to bitcoin's rebound from recent lows.
Top Stories
