Several of the law enforcement agencies involved in the takedown of one of the most prolific ransomware groups denied involvement in a new notice posted to the gang’s leak site — adding weight behind rumors from experts and cybercriminals that the group was attempting to carry out an elaborate exit scam.

The U.S. Justice Department, Europol and the U.K.’s National Crime Agency (NCA) were heavily involved in the December takedown of infrastructure used by the Black Cat/AlphV ransomware gang — responsible for attacks last year that crippled the biggest hotel in Las Vegas and a multibillion-dollar player in the real estate industry.

The gang restored some of its infrastructure almost immediately after the takedown but has limped along for three months while attempting to regain the confidence of criminal affiliates and partners. AlphV appeared to revive some of its criminal bonafides with a devastating attack on Change Healthcare last month that has become one of the biggest crises to face the U.S. healthcare industry this year.

But signs now indicate that the gang’s leaders are looking at the Change Healthcare attack as their last big job.

The group took its blog offline on Friday, and on Monday an affiliate of the group posted an angry message on a cybercriminal forum complaining that a ransom obtained from Change Healthcare — allegedly worth $22 million — had been stolen from them. Wired reported that blockchain data showed 350 bitcoins were sent to an address connected to AlphV on March 1.

Change Healthcare declined to confirm whether it paid the ransom, only telling Recorded Future News that it is “focused on the investigation.”

Recorded Future cybersecurity expert Dmitry Smilyanets shared a message posted to the RAMP cybercrime forum from an affiliate claiming that after getting the $22 million payment, AlphV leaders shut off their account and effectively stole the entire ransom. The affiliates noted that they still have 4 TB of data they stole from Change Healthcare.

After taking the $22 million, the gang seemingly posted a new takedown notice to its leak site, making it look like law enforcement agencies had again taken down their infrastructure.

The DOJ, Europol and the NCA all denied any involvement in the new takedown notice in comments to Recorded Future News. The FBI declined to comment.

Cybersecurity expert Fabian Wosar examined the takedown notice and said technical information indicated it was fake and simply copied from the operation in December.

“ALPHV/BlackCat did not get seized. They are exit scamming their affiliates. It is blatantly obvious when you check the source code of the new takedown notice,” Wosar said on several social media sites.

On Tuesday, leaders of the group outright admitted that the entire ordeal was part of their effort to shutter the operation entirely.

In a message on the same RAMP cybercrime forum, a spokesperson for the group said there is “no point in making excuses” and said they "decided to completely close the project.”

“We can officially declare that the feds screwed us over. The source code will be sold, negotiations are already underway on this matter,” they wrote.

An administrator on the cybercrime forum in charge of adjudicating the dispute between AlphV and the affiliate posted a follow-up message officially closing the matter, writing "This is an exit scam.”

A novel exit scam

Several ransomware experts said theft from affiliates and exit scams are not uncommon for the kind of criminal organizations that run operations like these. Recorded Future ransomware expert Allan Liska noted that other prominent groups like REvil were caught pilfering ransoms from affiliates.

In the past, other groups have also alleged takedowns by international law enforcement agencies when attempting to close down an operation, but multiple experts said this was the first time they had seen the use of a fake seizure notice.

“The fact that cybercriminals scam other cybercriminals is not surprising, and this is not the first time it has happened. The use of a fake seizure notice is, however, unique,” said Emsisoft threat analyst Brett Callow.

“Unless the individuals behind AlphV decide that $22 million is enough to retire on, they’ll almost certainly be back with a new brand,” he added.

Liska echoed that assessment, saying the fake seizure notice was a new twist on the ransomware exit scam.

When asked whether the downfall of the AlphV group — alongside the similarly public implosion of the LockBit ransomware operation — was evidence that law enforcement takedowns were having a positive effect, experts were more split.

“I think we need more time. But, I do think it is a good thing that the operator behind AlphV, who has been doing this for a long time — remember, he has ties to Conti — has been reduced to a lowlife scammer and, despite all his bravado, [the leader of LockBit] looks to be having a very public mental breakdown (I don’t say that lightly, mental health is a serious issue),” Liska explained.

Callow said the success of law enforcement-led disruptions “shouldn’t be judged on whether comebacks are made.”

“They’re but one prong in a multi-pronged strategy and, alone, will not eliminate ransomware,” he noted.

Trustwave principal threat hunter Reegun Jayapaul, who has been tracking AlphV, said they are anticipating the group’s return “under a new guise or brand after their hiatus.”

“This tactic serves as a means for them to execute one final significant scam before resurfacing with less scrutiny,” Jayapaul said.