DOJ Confiscates $2.8 Million in Cryptocurrency Tied to Zeppelin Ransomware
According to DOJ filings, the seized assets represent the proceeds of ransomware activity or were used to launder such proceeds. Prosecutors allege that from 2019 through 2022, Antropenko and associates deployed the Zeppelin ransomware to victimize targets around the world, including individuals, hospitals, businesses, and IT service providers across the United States. Their tactics allegedly included encrypting data, exfiltrating sensitive files, and then demanding cryptocurrency payments to restore access, suppress publication of stolen information, or permanently delete it.
Investigators say that after ransom funds were collected, the proceeds were obscured through a mix of channels intended to frustrate tracing efforts. Those methods purportedly included use of the shuttered mixing service ChipMixer—taken down in a coordinated international operation in 2023—along with cash conversions and a pattern of structured deposits designed to avoid attention from financial institutions and regulators. Through blockchain analysis, federal agents tracked wallets holding Ethereum (ETH), Tether (USDT), and USD Coin (USDC) that they linked to Antropenko, and connected exchange accounts in his name to the laundering scheme.
The investigation has been led by the FBI’s Dallas and Norfolk Field Offices together with the bureau’s Virtual Assets Unit. Since 2020, the DOJ’s Computer Crime and Intellectual Property Section (CCIPS) reports securing action against more than 180 cybercriminals and obtaining court orders returning in excess of $350 million to victims. Officials added that CCIPS and partner agencies have disrupted multiple ransomware groups, preventing over $200 million in additional ransom payments.
Authorities indicated that the assets recovered in the Zeppelin matter will be placed into the government’s digital asset reserve, a system established by executive order in March 2025 to manage cryptocurrency seized via criminal forfeiture. The reserve is intended to provide standardized tracking and stewardship for digital assets while related prosecutions move through the courts, improving accountability and preserving value for eventual restitution where appropriate.
Background: What Is Zeppelin Ransomware?
Zeppelin emerged in late 2019 as a Ransomware-as-a-Service (RaaS) line derived from the VegaLocker/Buran family, with a notable focus on healthcare organizations and IT providers. Although the operation resurfaced with updated variants in 2021, public reporting indicates that its activity had largely ceased by November 2022. Security researchers later disclosed that a master decryption key was obtained as early as 2020, quietly enabling many victims to restore their files without paying. By January 2024, the alleged source code for Zeppelin had reportedly been advertised on an underground forum for around $500, a signal of both its decline and the broader commoditization of ransomware tooling.
“The cryptocurrency and related assets represent proceeds of, or instruments used to launder proceeds of, ransomware activity,” DOJ officials said, underscoring the government’s ongoing focus on tracing and clawing back illicit funds.
While the criminal case against Antropenko proceeds, the seizures highlight two intersecting trends: the maturation of law-enforcement blockchain analytics and the increasing use of structured digital-asset programs to preserve seized value. For potential victims and network defenders, the Zeppelin timeline is also a reminder of the importance of rapid incident response, offline backups, and timely engagement with authorities—particularly as keys or decryptors can sometimes be recovered by researchers, enabling data restoration without funding criminal enterprises.
