The U.S. Department of Justice announced the seizure of more than $2.8 million in cryptocurrency from alleged Zeppelin ransomware operator Yanis Aleksandrovich Antropenko.
In the state of Texas, Antropenko has been charged with computer fraud and money laundering, and he is suspected of ties to the Zeppelin ransomware — a now-defunct piece of malware that was active from 2019 to 2022.
“Antropenko used the Zeppelin ransomware to attack a wide range of individuals, companies, and organizations around the world, including in the United States,” the Department of Justice said in an official statement. “In particular, Antropenko and his co-conspirators encrypted and stole victims’ data, typically demanding a ransom for decryption as well as a promise to refrain from publication and to delete the [stolen information].”
It is reported that after receiving the ransoms, Antropenko tried to launder the funds through the ChipMixer cryptocurrency mixing service, which was shut down by law enforcement back in March 2023.
Among other money laundering methods used by the suspect were exchanging cryptocurrency for cash and making structured deposits—that is, breaking large sums into smaller deposits to circumvent banking reporting requirements.
In addition to confiscating digital assets totaling $2.8 million, authorities also seized $70,000 in cash and a luxury car from Antropenko.
Recall that the Zeppelin ransomware emerged in late 2019 and was a new variant of the VegaLocker/Buran malware. The malware targeted healthcare and IT companies in Europe and North America via vulnerabilities in MSP providers’ software.
At the same time, the ransomware did not run on machines in Russia, Ukraine, and CIS countries, including Kazakhstan and Belarus. This is a noteworthy detail, since other variants of malware from the Vega family, also known as VegaLocker and Buran, specifically targeted Russian-speaking users.
By the end of 2022, Zeppelin’s activity had practically ground to a halt. It then became known that specialists from the cybersecurity company Unit221b had been helping companies affected by Zeppelin attacks for several years. The experts had discovered a number of vulnerabilities in the ransomware, which they used to create a working decryptor.
As a result, in January 2024, KELA specialists reported that the source code of the Zeppelin ransomware and a cracked version of its builder were being sold on a hacking forum for only $500.