The Future Is Here
We may earn a commission from links on this page

The FBI Hacked and Infiltrated a Ransomware Gang for Months Before Dismantling It

The feds have found a new way to dismantle cybercrime organizations like the Hive gang: embed, monitor, then disrupt.

We may earn a commission from links on this page.
Image for article titled The FBI Hacked and Infiltrated a Ransomware Gang for Months Before Dismantling It
Photo: Win McNamee (Getty Images)

In one of the FBI’s most sophisticated cybercrime operations to date, agents infiltrated and spent approximately six months embedded in a prominent ransomware gang’s network, Justice Department officials announced Thursday. That gang, known as Hive, was disrupted earlier this week when agents seized its server infrastructure and also took down its website.

Speaking Thursday, Attorney General Merrick Garland characterized Hive as “an international ransomware network responsible for extorting and attempting to extort hundreds of millions of dollars from victims in the United States and around the world.”


A Ransomware-as-a-Service provider, Hive’s business model has been to license its malware to “affiliate” hackers—contract cybercriminals, essentially—that would carry out attacks on targets and share profits from successful extortions with the gang. Since Hive’s emergence approximately two years ago, the online gang and its affiliates have targeted a vast array of victims, including U.S.-based healthcare facilities and hospitals during the height of the Covid-19 pandemic, Garland said.

In an effort to disrupt its activities, agents from the FBI’s Tampa field office “infiltrated” (read: hacked) Hive’s network in July of 2022. Since then, the government has been monitoring the gang’s activities, in an effort to identify its victims and gather information about how it operates.


The infiltration of Hive’s network allowed the government to ascertain the encryption keys necessary to decrypt victims of its attacks, officials said. Altogether, police were able to provide some 300 decryption keys to victims who were actively under attack from Hive. Another 1,000 decryption keys were provided to previous victims of the gang, officials said. How, exactly, the keys were collected by agents wasn’t directly explained.

“In a 21st-century cyber stakeout, our investigative team turned the tables on Hive, swiping their decryption keys, passing them to victims, and ultimately averting more than $130 million dollars in ransomware payments,” said Deputy Attorney General Lisa O. Monaco Thursday. “We will continue to strike back against cybercrime using any means possible and place victims at the center of our efforts to mitigate the cyber threat.”

No arrests were announced in connection to the operation, and officials wouldn’t comment on whether any would be forthcoming, citing an “ongoing investigation.”

While a takedown of a major ransomware gang is obviously welcome news, Thursday’s press conference was most interesting for what it revealed about the bureau’s increasingly sophisticated cyber tactics—which include hacking and Monaco’s “21st-century cyber stakeouts.”


FBI Director Chris Wray characterized the recent investigation as involving “clandestine, persistent access” to Hive’s “control panel,” which allowed the bureau to monitor the gang’s activities and “identify” victims of ransomware attacks as they were being hacked. Garland characterized this as “court-authorized access to electronic systems”—a reference to the increasingly routine procedure in which the bureau will secure a warrant to hack a network if it is suspected of being involved in criminal activity. The FBI replaced Hive’s website with a gif.

Once embedded in Hive’s network, the FBI apparently sat back and watched as the gang carried out its attacks. Garland said: “We hide [in the network], we watch as they proceed with their attacks, we discover the keys, and we deliver the keys to the victims so that they can decrypt their systems and don’t have to pay the ransom,” he said. “Finally...we take down the infrastructure. We take down the servers that power Hive’s ability to go ahead. We can only do that once we’re able to locate where the servers are—and that’s what we were able to do only very recently, and we resolved the matter last night.”


A reporter present at Thursday’s press conference asked Wray how common operations like this one are, with Wray responding: “We have started to have more and more...I’m not sure we’ve had one of quite this scale.”