ALPHV/BlackCat Takedown Disrupted Ransomware Network Before Suspected Exit Scam
The FBI and international partners disrupted the infrastructure of ALPHV/BlackCat, a major ransomware-as-a-service operation linked to more than 1,000 victims and attacks across U.S. critical infrastructure sectors including healthcare, manufacturing, government, emergency services, schools, and defense-related organizations. U.S. authorities seized multiple ALPHV-operated sites and said an FBI-developed decryptor was provided to more than 500 victims worldwide, helping dozens restore systems and avoid an estimated $68 million in ransom payments. Officials described ALPHV as one of the world’s most prolific ransomware groups, and said the investigation remained active even though no arrests were announced.
Months later, ALPHV appeared to collapse amid allegations that its operators staged an exit scam after receiving a reported $22 million ransom tied to the Change Healthcare attack. A new seizure notice posted on the group’s leak site was disavowed by the U.S. Justice Department, Europol, and the U.K. National Crime Agency, while researchers said it reused elements from the legitimate law-enforcement takedown page. Reporting and affiliate claims indicated the group’s leaders kept the payment, cut off an affiliate, and then announced on a cybercrime forum that they were shutting down and planned to sell the malware source code, reinforcing assessments that affiliates may migrate and the operators could reappear under a new brand.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
ALPHV says it is shutting down and plans to sell source code
After the fake seizure notice and affiliate dispute, ALPHV acknowledged on the RAMP cybercrime forum that it was ending operations. The group also said it intended to sell its source code, reinforcing assessments that the public shutdown was self-directed rather than a fresh law-enforcement action.
Law enforcement agencies deny role in new ALPHV 'shutdown'
The U.S. Justice Department, Europol, and the U.K. National Crime Agency said they were not involved in the new seizure-style notice appearing on ALPHV infrastructure. Researchers assessed the group was likely conducting an exit scam and could re-emerge under a different brand.
ALPHV posts fake seizure notice and appears to exit scam affiliate
ALPHV/BlackCat replaced its leak site with a bogus law-enforcement seizure banner that researchers said reused elements from the real December 2023 takedown. Reports indicated the operators shut out an affiliate after receiving the Change Healthcare payment and kept the proceeds, while the affiliate claimed to still hold 4 TB of stolen data.
ALPHV receives alleged $22 million Change Healthcare ransom
According to affiliate claims, blockchain analysis, and researcher reporting cited later, ALPHV operators received a $22 million ransom payment connected to the Change Healthcare attack. The dispute over this payment became the trigger for the group's apparent collapse.
U.S.-led operation seizes ALPHV/BlackCat infrastructure
The FBI, DOJ, and international partners announced they had disrupted ALPHV/BlackCat by seizing multiple websites used by the ransomware-as-a-service group. Officials said the group had hit more than 1,000 victims over the prior 18 months, including organizations in U.S. critical infrastructure sectors.
FBI infiltrates ALPHV/BlackCat and develops victim decryptor
During a covert operation preceding the public announcement, the FBI gained access to ALPHV/BlackCat infrastructure and created a decryptor that was later used to help dozens of victims restore systems. Authorities said the tool was made available to more than 500 affected organizations and helped avert about $68 million in ransom payments.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Europol, DOJ, NCA deny involvement in recent AlphV/BlackCat ‘shutdown’ | The Record from Recorded Future News
therecord.media
Open sourceUS Justice Department cracks down on ALPHV/Blackcat ransomware group targeting critical infrastructure - Industrial Cyber
industrialcyber.co
Open sourceAlphV claims to have ‘unseized’ its darkweb domain from the FBI. What’s happening? | The Record from Recorded Future News
therecord.media
Open sourceFBI posts takedown notice on AlphV ransomware group’s website | The Record from Recorded Future News
therecord.media
Open sourceUS leads AlphV ransomware infrastructure takedown | Cybersecurity Dive
cybersecuritydive.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Conti Ransomware Syndicate Dismantles Brand and Splinters Into Smaller Operations
The **Conti** ransomware syndicate took key parts of its digital infrastructure offline, including sections of its leak site, victim negotiation portal, and internal systems, in what researchers described as a deliberate reorganization rather than a direct law-enforcement takedown. Security firms and reporting tied the move to mounting pressure after a pro-Ukraine insider leaked Conti’s internal chats and tools, exposing the group’s structure, workflows, and links to Russia. The leaks followed Conti’s public declaration of support for Russia after the invasion of Ukraine, a stance that triggered internal backlash and gave investigators an unusually detailed view into one of the world’s most prolific ransomware operations. Researchers said Conti’s shutdown did not mark the end of its activity but a **rebranding and dispersal of personnel** into smaller, harder-to-track units and other extortion groups, including operations such as **ALPHV/BlackCat**. Subsequent reporting indicated former Conti members continued to repurpose the gang’s tooling in campaigns tied to Ukraine, including lures exploiting the **Follina** vulnerability and impersonation themes involving Elon Musk. The episode also underscored why sanctions and disruption efforts struggle to permanently dismantle ransomware groups: even when a major brand collapses, its operators, malware, and playbooks often persist across successor crews.
May 25, 2026
Insider Ransomware Attacks by Cybersecurity Professionals Using BlackCat
Three former employees of cybersecurity firms DigitalMint and Sygnia have been indicted for orchestrating a series of BlackCat (ALPHV) ransomware attacks against five U.S. companies between May and November 2023. The accused, including Kevin Tyler Martin and Ryan Clifford Goldberg, allegedly abused their positions as incident response professionals to gain unauthorized access to victim networks, deploy ransomware, steal sensitive data, and demand cryptocurrency ransoms ranging from $300,000 to $10 million. The Department of Justice and FBI state that the group operated as BlackCat affiliates, with at least one successful extortion resulting in a $1.27 million payment from a Tampa medical device manufacturer after its servers were encrypted. The indictment details additional targets, including a Maryland pharmaceutical company, a California doctor's office, a California engineering firm, and a Virginia drone manufacturer, though it is unclear if further ransom payments were made. DigitalMint and Sygnia have both denied organizational involvement, terminated the implicated employees, and are cooperating with law enforcement. The case highlights the risk of insider threats within cybersecurity firms and the sophisticated tactics used by ransomware operators to exploit trusted access for criminal gain.
Mar 21, 2026
Change Healthcare ransomware attack exposed massive patient data and disrupted U.S. care
A ransomware attack on UnitedHealth subsidiary **Change Healthcare** crippled prescription processing, billing, and claims services across the U.S., leaving pharmacies, hospitals, doctors, and therapists unable to process insurance transactions and creating severe cash-flow problems for providers. UnitedHealth disclosed the intrusion after isolating affected systems, and the **ALPHV/BlackCat** gang later claimed responsibility, saying it stole terabytes of data from the company’s environment. The outage highlighted Change Healthcare’s central role in the health sector, where it processes a huge share of medical and pharmacy transactions. UnitedHealth later acknowledged paying a ransom reportedly worth about **$22 million** in bitcoin, but the extortion did not end there: a second group, **RansomHub**, claimed it had obtained the stolen files and began leaking patient data online. Subsequent reporting said the breach likely included highly sensitive personal and health information, potentially affecting U.S. service members and eventually tens of millions of Americans, with later estimates rising to **100 million** and then **193 million** victims. Investigators and executives also said the attackers entered through a **Citrix portal without MFA**, turning the incident into one of the largest and most consequential healthcare data breaches on record.
Jun 8, 2026