DOJ Seizes $2.8 Million in Crypto from Suspected Zeppelin Ransomware Operator
The U.S. Department of Justice has announced the seizure of more than $2.8 million in cryptocurrency from Yanis Alexandrovich Antroppenko, who stands accused of computer fraud and money laundering. Antroppenko is linked to the activities of the Zeppelin ransomware group, which between 2019 and 2022 deployed its eponymous malware in global extortion campaigns. In addition to digital assets, authorities confiscated $70,000 in cash and a luxury automobile from the defendant.
According to investigators, the perpetrator, together with accomplices, had previously targeted companies and individuals worldwide—encrypting their data, stealing copies, and demanding payment for either decryption or deletion. The illicit proceeds were laundered through the now-defunct ChipMixer service, shut down by authorities in 2023, as well as by converting cryptocurrency into cash and fragmenting large sums into smaller transactions to circumvent banking oversight.
Zeppelin first emerged in late 2019 as an evolution of the VegaLocker and Buran ransomware strains, exploiting vulnerabilities in IT service providers’ software and striking, among others, healthcare institutions. After a temporary pause, the group resumed operations in 2021; however, analysis of encrypted files revealed critical flaws in its cryptographic implementation. By November 2022, the campaign had effectively ceased, and it was later revealed that experts at Unit221b had possessed a decryption key enabling free file recovery as early as 2020.
In January 2024, reports surfaced that Zeppelin’s source code had been offered for sale on an underground forum for as little as $500. Although the project had already collapsed, accumulated evidence eventually led to the identification of one of its key organizers.
The recent seizure of $2.8 million marks part of a broader enforcement campaign. Previously, U.S. authorities had confiscated $1 million from operators of BlackSuit and $2.4 million in Bitcoin from the Chaos group. Such measures are regarded as pivotal in the fight against ransomware—not only depriving threat actors of vital resources but also hindering their ability to rebuild infrastructure or recruit new affiliates, even in the absence of arrests.
