Embargo’s Double Extortion Play Bags $34 Million From US Victims

Embargo operates a ransomware-as-a-service model, where it partners with other groups to carry out attacks using its tools and share the profits.

Victims have included American Associated Pharmacies, Memorial Hospital and Manor in Georgia, and Weiser Memorial Hospital in Idaho. Some ransom requests have been as high as $1.3 million.

Did you know?

Want to get smarter & wealthier with crypto?

Subscribe - We publish new crypto explainer videos every week!

How to Pick the Right NFTs? (Animated DOs & DON'Ts)

SUBSCRIBE

ON YOUTUBE

According to TRM, Embargo uses a double extortion method. First, it encrypts the victim’s systems. Then it threatens to publish sensitive data if payment is not made.

In some cases, the group has named organizations or individuals on its website to increase pressure. While it may not operate as openly as groups like LockBit or Cl0p, its methods are still effective.

TRM’s findings suggest Embargo could be linked to the now-defunct BlackCat (ALPHV) group, which disappeared earlier this year after a suspected exit scam. Both groups use the Rust programming language, run similar websites for leaking stolen data, and appear to share some cryptocurrency wallet infrastructure.

TRM said roughly $18.8 million of the group’s earnings remain in wallets not tied to any known service.

When Embargo transfers money, it often uses multiple wallet addresses, high-risk exchanges, and even sanctioned platforms. Between May and August, TRM tracked about $13.5 million moving through different virtual asset service providers, with over $1 million going through Cryptex.net.

On August 7, Koi Security reported that a cybercrime group named GreedyBear has stolen more than $1 million in cryptocurrency. How? Read the full story.