Embargo ransomware has laundered $34.2 million in crypto since April 2024 mainly hitting US healthcare targets.
TRM Labs links Embargo to BlackCat through shared Rust code similar leak site design and wallet connections.
The group uses AI phishing and unpatched flaws to steal data, encrypt files and demand ransoms up to $1.3 million.
A ransomware-as-a-service group called Embargo has laundered about $34.2 million in cryptocurrency since April 2024. It has mainly targeted US healthcare facilities through advanced attacks demanding ransoms of up to $1.3 million.
https://twitter.com/ImCryptOpus/status/1954809853433487659
TRM Labs research suggests the group could be a rebrand of the defunct BlackCat operation. Known victims include American Associated Pharmacies, Memorial Hospital and Manor in Georgia, and Weiser Memorial Hospital in Idaho.
Sophisticated Operations Avoid High-Profile Tactics
Embargo operates under a ransomware-as-a-service model, giving affiliates advanced tools while keeping control over core systems and payment talks. The group avoids the high-profile tactics seen in LockBit or Cl0p campaigns. This strategy may help it evade law enforcement while expanding across healthcare, business services, and manufacturing sectors.
Technical analysis shows similarities with BlackCat, including use of the Rust programming language, similar data leak site designs, and shared wallet infrastructure. Funds from historical BlackCat addresses have moved to wallets linked to Embargo victims.
AI-Driven Attacks Target Critical Infrastructure
The group uses artificial intelligence and machine learning to enhance attacks and avoid detection. It often exploits unpatched software vulnerabilities or uses AI-generated phishing emails to gain access. Once inside, Embargo deploys tools that disable security measures and remove recovery options before encrypting files.
It applies double extortion by both encrypting and stealing sensitive data. Victims face threats of public leaks or dark web sales if payments are not made. Embargo manages all communications through its own systems to maintain negotiation control. Some incidents contain politically themed content, raising concerns about possible state alignment.
Complex Laundering Networks Involving Global Exchanges
Embargo launders ransom payments through layered networks using intermediary wallets, high-risk exchanges, and sanctioned platforms such as Cryptex.net. TRM Labs tracked around $13.5 million across multiple virtual asset providers worldwide. Between May and August 2024, at least 17 deposits over $1 million moved through Cryptex.net.
The group avoids heavy use of mixers or cross-chain bridges, preferring to route funds through multiple addresses before reaching exchanges. Around $18.8 million remains in dormant wallets, likely to disrupt tracing or delay transfers for strategic reasons.
Surge in Crypto Cybercrime Losses
The emergence of Embargo comes amid rising cybercrime losses. In July 2025, hack-related losses rose 27.2% to $142 million across 17 incidents. The first half of 2025 recorded over $2.2 billion in losses from 344 cases. Other attacks include a $44.2 million breach of Indian exchange CoinDCX linked to Lazarus Group and a $42 million GMX exploit that left a $5 million bounty after recovery.