U.S. Authorities Seize $2.8 Million in Cryptocurrency from Zeppelin Ransomware Operator

The U.S. Department of Justice (DOJ) has seized more than $2.8 million in cryptocurrency from Yannis Aleksandrovich Antropenko, the alleged operator of the Zeppelin ransomware.

Antropenko faces charges in Texas for computer fraud and money laundering. He is accused of operating Zeppelin, a now-defunct ransomware strain active between 2019 and 2022.

The Ransomware Operation

“Antropenko used the Zeppelin ransomware to attack a wide range of individuals, companies, and organizations worldwide, including in the United States,” the DOJ said in its official statement. “Specifically, Antropenko and his associates encrypted and stole victims’ data, typically demanding ransom payments in exchange for decryption, as well as for promises not to publish or to delete the stolen information.”

According to investigators, Antropenko laundered ransom proceeds through multiple channels. These included:

• Using the cryptocurrency mixing service ChipMixer (shut down by law enforcement in March 2023).
• Exchanging cryptocurrency for cash.
• Making structured deposits—breaking large sums into smaller transactions to evade banking oversight.

In addition to digital assets, authorities seized $70,000 in cash and a luxury vehicle linked to Antropenko.

Background on Zeppelin

Zeppelin first appeared in late 2019 as a variant of the VegaLocker/Buran malware family. It primarily targeted healthcare and IT companies in Europe and North America, often by exploiting vulnerabilities in Managed Service Provider (MSP) software.

Like many ransomware families tied to Eastern European operators, Zeppelin contained code to avoid infecting systems in Russia, Ukraine, and other CIS countries such as Kazakhstan and Belarus. This exclusion reinforced suspicions of its origins.

By the end of 2022, Zeppelin’s activity had largely faded. Around that time, researchers at Unit221b revealed they had quietly developed a decryptor, leveraging flaws in Zeppelin’s encryption scheme to help victims recover files without paying ransoms.

The Aftermath

In January 2024, threat intelligence firm KELA reported that Zeppelin’s source code and a compromised version of its builder were being sold on a hacking forum for as little as $500 — a steep fall for a once-prominent ransomware family.

The DOJ’s seizure marks one of the first major financial blows connected to Zeppelin’s operators, underscoring how law enforcement is still pursuing ransomware actors long after strains fade from the headlines.