{
	"id": "7c4b2a9e-9884-4f60-838e-26a0b2fcb763",
	"created_at": "2026-04-06T02:12:34.013304Z",
	"updated_at": "2026-04-10T13:12:32.710273Z",
	"deleted_at": null,
	"sha1_hash": "948b1c05863cec0266517441f5ad68a8bcf7267a",
	"title": "BlackCat ransomware shuts down in exit scam, blames the \"feds\"",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2385465,
	"plain_text": "BlackCat ransomware shuts down in exit scam, blames the \"feds\"\r\nBy Ionut Ilascu\r\nPublished: 2024-03-05 · Archived: 2026-04-06 02:08:18 UTC\r\nThe BlackCat ransomware gang is pulling an exit scam, trying to shut down and run off with affiliates’ money by pretending\r\nthe FBI seized their site and infrastructure.\r\nThe gang announced they are now selling the source code for the malware for the hefty price of $5 million.\r\nOn a hacker forum, ALPHV said that they decided \"to close the project\" because of \"the feds,\" without providing additional\r\ndetails or a clarification.\r\nhttps://www.bleepingcomputer.com/news/security/blackcat-ransomware-shuts-down-in-exit-scam-blames-the-feds/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/blackcat-ransomware-shuts-down-in-exit-scam-blames-the-feds/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nHowever, a national law enforcement agency listed on the seizure banner confirmed to BleepingComputer that they were not\r\ninvolved in any recent disruption of ALPHV infrastructure.\r\n'The feds screwed us over'\r\nThe ransomware gang started the exit-scam operation on Friday, when they took their Tor data leak blog  offline. On\r\nMonday, they further shut down the negotiation servers, saying that they decided to turn everything off, amid complaints\r\nfrom an affiliate that the operators stole a $20 million Change Healthcare ransom from them.\"\r\nYesterday, the gang's status on Tox changed to 'GG' ('good game') - hinting at the end of the operation, and later to \"selling\r\nsource code 5kk,\" indicating that they wanted $5 million for their malware.\r\nBlackCat ransomware status on Tox messaging platform\r\nsource: BleepingComputer\r\nIn a message on a hacker forum shared by Recorded Future's Dmitry Smilyanets, the administrators of the operation said\r\nthat they \"decided to completely close the project\" and \"we can officially declare that the feds screwed us over.\r\nAt the time of writing, the ALPHV leak site shows a fake banner announcing that the Federal Bureau of Investigation (FBI)\r\nseized the server in a “coordinated law enforcement action taken against ALPHV Blackcat Ransomware.\r\nWhile the FBI has declined to comment on the seizure notice, Europol and the NCA told BleepingComputer that they are\r\nnot involved in any recent disruption to ALPHV's infrastructure, even though they are listed on the fake seizure message.\r\nFake FBI banner on ALPHV ransomware data leak site\r\nsource: BleepingComputer\r\nhttps://www.bleepingcomputer.com/news/security/blackcat-ransomware-shuts-down-in-exit-scam-blames-the-feds/\r\nPage 3 of 6\n\nBleepingComputer noticed that the seizure banner image is hosted under a folder named \"/THIS WEBSITE HAS BEEN\r\nSEIZED_files/,\" which clearly indicates that the banner was extracted from an archive.\r\nBanner added on ALPHV site\r\nsource: BleepingComputer\r\nRansomware expert Fabian Wosar told BleepingComputer that the ransomware gang simply setup a\r\nPython SimpleHTTPServer to serve the fake banner.\r\n\"So they simply saved the takedown notice from the old leak site and spun up a Python HTTP server to serve it under their\r\nnew leak site. Lazy,\" Fabian Wosar told BleepingComputer.\r\nAdditionally, Wosar says that his contacts at Europol an the NCA \"declined any sort of involvement\" in seizing the ALPHV\r\nransomware site.\r\nDespite NCA's statement and evidence that the banner on the leak site is not the result of law enforcement activity, ALPHV\r\ntold BleepingComputer that their infrastructure was seized.\r\nRumors of a possible exit scam from ALPHV started when a longtime ALPHV partner, a so-called \"Notchy,\" claimed that\r\nthe gang had closed their account and robbed them of a $22 million payment from the ransom allegedly paid by Optum for\r\nthe Change Healthcare attack.\r\nAs proof of their claim, the affiliate shared a cryptocurrency payment address that recorded only one incoming transfer of\r\n350 bitcoins (about $23 million) from a wallet that appears to have been used specifically for this transaction on March 2nd.\r\nAfter getting the funds, the recipient address that allegedly belongs to ALPHV operators distributed the bitcoins to various\r\nwallets in equal transactions of about $3.3 million.\r\nIt is worth noting that while the recipient address is now empty, it shows that it received and sent close to $94 million.  \r\nWith claims from affiliates not getting paid, a sudden shut down of the infrastructure, cutting ties with multiple affiliates, the\r\n\"GG\" message on Tox, announcing that they're selling the malware source code, and especially pretending that the FBI took\r\ncontrol of their websites, all this is a cleart indication that ALPHV/BlackCat ransomware administrators are exit scamming.\r\nWho is BlackCat/ALPHV ransomware\r\nThe operators of BlackCat have been involved in ransomware since at least 2020, first launching as DarkSide in August\r\n2020 as a ransomware-as-a-service (RaaS) operation.\r\nA RaaS is when core operators develop a ransomware encryptor and negotiation sites and recruit affiliates to use their tools\r\nto conduct ransomware attacks and steal data.\r\nAfter a ransom is paid, the operators split the ransom payment, with affiliates and their teams usually receiving 70-80% of\r\nthe payment and the operation receiving the rest.\r\nAfter their widely publicized attack on Colonial Pipeline, the threat actors shut down the DarkSide operation in May 2021\r\nunder intense pressure from global law enforcement.\r\nWhile ransomware gangs were already under scrutiny by law enforcement, the attack on Colonial Pipeline was a tipping\r\npoint for governments worldwide who began prioritizing targeting these cybercrime operations.\r\nInstead of staying away, the operators launched a new ransomware operation called BlackMatter on July 31st, 2021.\r\nHowever, the cybercriminals quickly shut down again in November 2021 after Emsisoft exploited a weakness to create a\r\ndecryptor, and servers were seized.\r\nhttps://www.bleepingcomputer.com/news/security/blackcat-ransomware-shuts-down-in-exit-scam-blames-the-feds/\r\nPage 4 of 6\n\nInstead of learning from their mistakes, the ransomware operators returned in November 2021, this time under the name\r\nBlackCat or ALPHV.\r\nWhile the gang's official name is ALPHV, it was not known at the time, so researchers called it BlackCat based on the small\r\nicon of a black cat used on every victim's negotiation site.\r\nSince then, the ransomware gang has continuously evolved its extortion tactics, taking the unusual approach of partnering\r\nwith English-speaking affiliates.\r\nHowever, last year, the threat actors grew increasingly toxic, working with affiliates who threatened physical harm, posting\r\nnude photos from stolen data, and aggressively calling out victims.\r\nWith this new extortion strategy, the ransomware gang was firmly planted in the crosshairs of law enforcement.\r\nIn December 2023, an international law enforcement operation seized the ransomware gang's Tor negotiation and data leak\r\nsites.\r\nThe FBI also announced that they had hacked BlackCat's servers and quietly collected information on the cybercriminals\r\nwhile obtaining decryptors to allow victims to recover their files for free.\r\nInstead of shutting down, the ransomware gang continued their activities, vowing to retaliate against the US government by\r\nattacking critical infrastructure.\r\nNever learning from their past mistakes, the ransomware gang once again conducted an attack that went too far, putting the\r\nfull scrutiny of global law enforcement on their operation.\r\nFirst, it was Colonial Pipeline in 2020, and now it's the attack on UnitedHealth Group's Change Healthcare. The Change\r\nHealthcare attack has significantly impacted the US healthcare system after systems used by pharmacies and doctors to file\r\nclaims with insurance companies were disrupted.\r\nThis disruption has led to real-world consequences for US patients who can no longer use discount cards or receive\r\nmedications under their normal insurance plans, forcing them to temporarily pay full price for critical medications.\r\nThe threat actors also claimed to have stolen 6 TB of data from Change Healthcare, containing the healthcare information\r\nfor millions of US citizens.\r\nAfter receiving an alleged $22 million ransom payment from Change Healthcare to not leak data and receive the decryptor,\r\nan affiliate claimed the BlackCat operators stole their money.\r\nHowever, instead of being disrupted by law enforcement, the operation has once again shut down, pulling an exit scam.\r\nAt this point, it is unclear if the ransomware gang will return under a new name. However, one thing is sure: their reputation\r\nhas been significantly tarnished, making it doubtful affiliates would want to work with them in the future.\r\nUpdate [March 6, 10:53]: Article updated with comment from Europol denying any involvement in a recent disruption of\r\nALPHV ransomware infrastructure.\r\nhttps://www.bleepingcomputer.com/news/security/blackcat-ransomware-shuts-down-in-exit-scam-blames-the-feds/\r\nPage 5 of 6\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/blackcat-ransomware-shuts-down-in-exit-scam-blames-the-feds/\r\nhttps://www.bleepingcomputer.com/news/security/blackcat-ransomware-shuts-down-in-exit-scam-blames-the-feds/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/blackcat-ransomware-shuts-down-in-exit-scam-blames-the-feds/"
	],
	"report_names": [
		"blackcat-ransomware-shuts-down-in-exit-scam-blames-the-feds"
	],
	"threat_actors": [
		{
			"id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b",
			"created_at": "2022-10-25T16:07:23.303713Z",
			"updated_at": "2026-04-10T02:00:04.530417Z",
			"deleted_at": null,
			"main_name": "ALPHV",
			"aliases": [
				"ALPHV",
				"ALPHVM",
				"Ambitious Scorpius",
				"BlackCat Gang",
				"UNC4466"
			],
			"source_name": "ETDA:ALPHV",
			"tools": [
				"ALPHV",
				"ALPHVM",
				"BlackCat",
				"GO Simple Tunnel",
				"GOST",
				"Impacket",
				"LaZagne",
				"MEGAsync",
				"Mimikatz",
				"Munchkin",
				"Noberus",
				"PsExec",
				"Remcom",
				"RemoteCommandExecution",
				"WebBrowserPassView"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775441554,
	"ts_updated_at": 1775826752,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/948b1c05863cec0266517441f5ad68a8bcf7267a.pdf",
		"text": "https://archive.orkl.eu/948b1c05863cec0266517441f5ad68a8bcf7267a.txt",
		"img": "https://archive.orkl.eu/948b1c05863cec0266517441f5ad68a8bcf7267a.jpg"
	}
}