
The FBI has successfully traced and frozen millions of dollars’ worth of cryptocurrency that Caesars Entertainment paid to hackers as ransom for the restoration of access to its IT systems.
The incident in question pertains to a cyberattack carried out in August 2023 by the group known as Scattered Spider. Around the same time, the same hackers also targeted MGM Resorts. However, MGM’s refusal to pay the ransom resulted in operational disruptions across its lasting more than a week.
Details of the FBI’s actions are outlined in a recently unsealed court document, which describes the agency’s efforts to thwart the hackers from fully laundering the ransom. Initially, the attackers demanded $30 million, but Caesars managed to negotiate the amount down to $15 million, paid in two Bitcoin transactions. Several months later, the FBI detected an attempt to convert a portion of the ransom into other cryptocurrencies, creating an opportunity to intervene.
Utilizing a commercial blockchain tracing tool, FBI agents identified a transfer of 402 BTC to the Avalanche Bridge service on January 19, 2024. This platform enables cross-chain swaps and is frequently employed by cybercriminals to obscure the trail of illicit funds—for instance, by exchanging Bitcoin for Monero, a privacy-focused cryptocurrency known for its anonymity.
The FBI contacted Ava Labs, the entity behind Avalanche Bridge, and requested the freezing of the assets. The company complied, voluntarily locking down 277.56 BTC, valued at approximately $11.8 million at the time. However, the remaining 125 BTC—worth over $5 million—had already been transferred and thus could not be frozen.
By late January, the wallet holders moved an additional $690,000 to an address associated with the Gate.io exchange. Among the assets were approximately 519,845 USDT and 1,135 XMR. The very next day, the FBI reached out to Gate.io with a request to freeze these funds. On February 4, the exchange confirmed that the request had been fulfilled.
At present, the U.S. government has formally initiated civil forfeiture proceedings. Although the court filing does not explicitly name Caesars, referring instead to “Victim A,” the timeline and details align precisely with the confirmed chronology of the attack. The hackers breached the system on August 18, 2023—the same date Caesars previously cited as the day of the incident. Authorities have already arrested one individual involved in the MGM attack, as well as several others believed to be linked to Scattered Spider.