This article was produced in collaboration with Court Watch, an independent outlet that unearths overlooked court records. Subscribe to them here.
The FBI managed to track down and freeze millions of dollars of cryptocurrency Caesars Entertainment sent to a group of hackers that held the casino’s computer systems ransom, according to a 404 Media review of a recently unsealed court document. According to the document, the FBI raced to stop the flow of funds before the hackers managed to move the entire $15 million ransom, with the FBI able to freeze much of it when the hackers appeared to try to convert it into other cryptocurrencies.
The document provides more insight into the August 2023 ransomware attack against Caesars carried out by the loose-knit hacking group known as Scattered Spider. Around the same time, Scattered Spider also targeted MGM Resorts but that company refused to pay the ransom, and casino operations were disrupted for more than a week.
The court document does not name Caesars, instead referring to the company as “Victim A.” But the document is clearly discussing the casino. It says Victim A was the victim of a cyber attack on August 18, 2023 (the same date that Caesars previously said hackers initially broke into Caesars); and that the hackers initially demanded $30 million before Victim A negotiated the ransom down to around $15 million (these are the same amounts as the Caesars hack).
The court document says that the victim paid the extortion payment in two separate purchases of Bitcoin. The FBI then used a commercially available cryptocurrency tracing tool to follow the cryptocurrency to a “bridge,” which lets users essentially trade one cryptocurrency for another. For criminals, this might be beneficial if they want to move from Bitcoin to a more anonymous currency like Monero.
The court document says whoever was in control of the cryptocurrency moved 402 BTC to an Avalanche Bridge wallet on January 19, 2024, several months after the hack itself. On that same day, the FBI contacted Ava Labs, Inc., the company behind the service, and asked it to voluntarily freeze the 402 BTC, the court document says.
“Ava Labs, Inc., agreed to voluntarily freeze the 277.56327614 BTC transferred from Extortion Wallet 2 to Avalanche Wallet 1 (which went to Combined Wallet 1 before Avalanche Wallet 1), until service of a civil forfeiture seizure warrant,” the document says. That amount of Bitcoin was valued at around $11.8 million in January 2024.
“However, Ava Labs, Inc., was not able to voluntarily freeze the 125 BTC transferred from Extortion Wallet 1 to Avalanche Wallet 1 (which went to Combined Wallet 1 before Avalanche Wallet 1) because the 125 BTC had already been transferred from Avalanche Wallet 1,” the document adds.
In other words, the FBI was able to freeze some of the funds, but not before whoever controlled the wallet was able to move around 125 BTC, valued at just over $5 million in January 2024.
Later that month, the cryptocurrency owners moved around $690,000 of cryptocurrency to another wallet run by Gate.io. The cryptocurrency transferred include around 519,845 USDT (Tether, a cryptocurrency allegedly pegged to the U.S. dollar) and around 1135 XMR (Monero).
The next day, the FBI contacted Gate.io and asked it to freeze that USDT and XMR. On February 4, Gate.io confirmed it had done so, according to the document.
The court document, signed by an FBI Special Agent, is the government formally asking to seize that USDT and XMR.
The FBI, prosecutors, Caesars, Gate.io, and Ava Labs did not respond to a request for comment.
Authorities have previously arrested a person allegedly linked to the MGM Resorts hack, as well as other people identified under the Scattered Spider umbrella.
