The U.S. Justice Department last October announced the largest asset seizure in American history: a cache of bitcoin then valued at $15 billion tied to the Cambodia-based Prince Group that prosecutors alleged oversaw an empire of human trafficking and industrial-scale scamming.

The news offered a rare glimmer of hope for victims of sophisticated cryptocurrency scams. In part due to the ease of laundering cryptocurrencies, these victims have had a notoriously difficult time recovering their lost life savings or even getting law enforcement to begin tracing such funds.

“By dismantling a criminal empire built on forced labor and deception, we are sending a clear message that the United States will use every tool at its disposal to defend victims, recover stolen assets, and bring to justice those who exploit the vulnerable for profit,” U.S. Attorney General Pam Bondi said in a joint statement.

But in the five months since the announcement, questions and frustrations have begun to swirl around the Justice Department’s handling of the historic cache of seized funds. The Justice Department has given little indication of what it plans to do with the 127,271 seized bitcoins, currently worth around $9 billion, as it has swiftly rejected claims on the funds made by attorneys representing hundreds of alleged victims.

Daniel Thornburgh and other attorneys representing hundreds of alleged victims of crypto scams say the government is not providing a viable path for returning seized funds to rightful owners.

Victims’ advocates and attorneys fear the agency may use the funds to capitalize President Trump’s national Strategic Bitcoin Reserve, a government crypto stockpile advocated by the cryptocurrency industry.

“This would lead to victims being revictimized by their own government,” said Thornburgh.

He is part of a growing number of attorneys and victim advocates who are calling for a special victim fund to take over responsibility for the historic sum of seized assets. They argue that this alternative offers a clearer path to victims receiving restitution.

The Department of Justice declined to comment on the case.

In November, the International Consortium of Investigative Journalists and 36 partner publications released The Coin Laundry investigation that showed how cryptocurrency scam victims face immense difficulty recovering funds due to the rapidly expanding illicit crypto economy. In interviews, dozens of victims told ICIJ and its media partners that they faced financial ruin as criminals rapidly laundered their stolen funds through secretive crypto wallets. In many cases, reports to law enforcement yielded no response at all.

The U.S. seizure of billions in bitcoin from the Prince Group’s founder Chen Zhi stemmed from allegations that he operated a transnational criminal organization that used forced labor in scam compounds to defraud victims worldwide. After the group was hit with U.S. and U.K. sanctions, Chen was taken into custody in Cambodia and sent to China in January 2026.

Even as victim attorneys strategize how to get their clients’ money back, fundamental questions hang over the case, including how and when U.S. authorities obtained the funds in the first place. Attorneys say that more information could help victims make stronger claims on the assets, while the Prince Group argues the lack of detail points to a flimsy case for the government holding the crypto at all. Although the Justice Department declined to comment on how it obtained the Bitcoin, the Chinese government recently accused the U.S. of stealing it through sophisticated hacking.

The government’s indictment of Chen contains apparent irregularities that are especially striking given the case’s significance. Prosecutors’ evidence against Chen relied in part on photographs alleged to illustrate the Prince Group’s violent methods.

ICIJ confirmed that one disturbing photo included in the indictment showing a man bound to an overturned chair appears to have nothing to do with the Prince Group. The exact photo was part of a light-hearted post published on a Mongolian-language website in April of 2020, describing an unusual medical incident. In another case, a man portrayed in the indictment as a victim of the Prince Group told ICIJ in an interview he had never been the victim of organized crime.

Victim claims have been swiftly rejected

When government authorities seize assets, they can keep those assets for public sector use, distribute the assets to victims who lost money to the crime in question, or do a combination of both. The process of determining if and how assets should be returned to victims is complicated and can take years.

In the wake of the Prince Group seizure, one U.S. senator said the assets could be used in part to strengthen Donald Trump’s national strategic bitcoin reserve, a U.S. government stockpile of cryptocurrency that industry proponents say will help boost the prominence of bitcoin. At the same time an array of alleged scam victims and their lawyers flooded the Justice Department with claims on the seized assets.

The department rapidly rejected many of them, asserting a wide variety of reasons why the victims had no legitimate claims, including that victims had not put forth specific evidence linking their cases to the seized funds and that they had no legal basis to credibly claim the funds in the first place.

Victims and their attorneys told ICIJ that a troubling picture is emerging of a Justice Department that appears set on rejecting claims.

Without more information about the seizure, scam victims are at a disadvantage because the alleged laundering was highly complex, making it difficult to directly link any specific scam to the cache of digital currency, according to lawyers.

“What’s happening here is not normal at all,” said Marc Fitapelli, a New York-based attorney who represents victims of cryptocurrency scams. “There should be an independent person appointed by the court to have control over these assets.”

Thornburgh told ICIJ that recent conversations with Justice Department lawyers convinced him that the government was committed to denying victim claims, so he booked a trip to Cambodia on a long-shot mission to collect additional evidence linking his cases to the Prince Group. Thornburg said he spent a grueling week in early March interviewing dozens of former workers at the country’s notorious scam compounds, but had little luck finding the documentation to connect his client’s cases to the DOJ’s seized funds.

“It was an incredible amount of work to demonstrate what I probably already knew, which was: this was going to be impossible,” Thornburgh said. “Even if I was successful, victims or their lawyers should not have to travel all the way across the world to recover their assets.”

Thornburgh expressed concern about the Justice Department’s tactics in a separate high-profile crypto forfeiture action announced in June. Last month, government attorneys argued that victims did not deserve to recover funds from this seizure because the victims had freely given it away to scammers. “Although their voluntary transfers may have been induced through misrepresentations, those transfers were made voluntarily nonetheless,” the Justice Department said in a filing.

Several experts pointed to legislation as the most promising path to recovering victim funds. Erin West, the founder of Operation Shamrock, an advocacy group for victims of cyber scams, told ICIJ the organization would be working with partners to push for legislation that allocates the seized funds to victims. “We have an amazing opportunity to put found assets back into the hands of those who deserve it most,” West said.

Fitapelli said that a call with Justice Department lawyers last month yielded little in direct answers. “I was told that victims will be contacted by the government if/when the DOJ determines it is appropriate,” he said. “So victims should hope that some lawyer at the Justice department stumbles on their file and contacts them? This is so unfair.”

Deeper questions about the money

Scam victims aren’t the only ones seeking more information from the Justice Department about the case.

Almost immediately after the government’s announcement of the historic seizure, cryptocurrency experts began to ask basic questions about the origin of the enormous pile of bitcoin. According to the U.S. officials, the Prince Group’s alleged laundering methods diverted proceeds of fraud to fund a bitcoin mining company called LuBian that created new, “clean” bitcoins. Attorneys representing thousands of alleged victims of Iranian terrorism say that this bitcoin mining operation had extensive ties to Iran and are also making claims on the seized bitcoin.

But there is a twist in the history of these coins: On the blockchain, the publicly available ledger of most cryptocurrency transactions, experts could see that the huge sum of seized bitcoin, which was reportedly stolen by an unknown hacker in 2020 and then sat dormant in crypto wallets of unknown ownership for years. This crypto remained untouched between late 2020 and mid-2024, when the cache of bitcoin moved to a new set of wallets where it has remained since, crypto analyst Yury Serov told ICIJ.

The U.S. government filings that ICIJ reviewed do not provide details on how it came into possession of the bitcoin. This lack of an official explanation has created an opening for speculation among experts, interested parties and a rival superpower. A Chinese cybercrimes agency recently suggested that the U.S. government originally stole the bitcoin through sophisticated hacking in 2020.

Last week, lawyers representing Chen demanded that the Justice Department explain how it seized the funds.

The Justice Department’s asset forfeiture filing, which describes the government’s rationale for taking the $15 billion, has also created some confusion about which victims may be entitled to the funds.

After the government announced its seizure in 2025, analysts quickly pointed out that the $15 billion in bitcoin had sat dormant in crypto wallets for years after their reported theft in 2020. Chen’s defense attorneys have argued these dormant assets have had no opportunity to commingle with any money taken from scam victims after 2020. But, in its asset forfeiture filing, some of the government’s most specific descriptions of the Prince Group’s alleged scams involve frauds that took place in 2021 and 2022 — after the seized bitcoin went dormant.

Attorneys for Chen last week criticized the asset forfeiture complaint’s use of these alleged crimes to justify seizing money that had been out of circulation since 2020.

The Prince Group argues that the U.S. government somehow took the coins and then created a story to justify keeping them. “This indictment is simply air cover for a giant cash grab — one that both does a disservice to the victims of these crypto scams and injustice to an innocent man,” a spokesperson for the Prince Group told ICIJ in a statement.

“Prosecutors used exaggerations, deceit, and outright impossibilities to convince a court to retroactively approve their theft of Bitcoin and to convince a grand jury of everyday Americans to indict an innocent man, Chen Zhi,” the spokesperson said. “Not only did prosecutors use salacious rumors and innuendo to make wild accusations completely unconnected to Chen, they made serious errors, generated falsehoods out of whole cloth, and acted with egregious negligence all in an effort to justify their desperate, unfounded allegations.”

In court filings last week, Prince Group lawyers highlighted another possibly problematic part of U.S. authorities’ case against Chen. Several photos that the indictment claimed as evidence of wrongdoing appear to have no ostensible relationship to the Prince Group or its alleged crimes.

One of these photos, offered up by U.S. prosecutors as an example of the Prince Group’s violence, shows a man bound to an overturned plastic lawnchair. But ICIJ was able to confirm that the same photo was featured on a Mongolian-language website six years ago in a post about a man whose testicles became stuck in a lawn chair and had to be extricated from the chair by medical workers. This article contains no mention of the Prince Group or any wrongdoing.

Another photo in the indictment shows a purported victim of the Prince Group with blood flowing from a head wound. However, on a Zoom call arranged by representatives for the Prince Group, the man, who requested anonymity, told ICIJ that the photo depicted injuries he sustained in a drunken fight in 2015, and that he has never been the victim of violence by an organized crime group.

Hany Farid, a visual forensics expert at the University of California at Berkeley, confirmed that the man ICIJ spoke with via Zoom is the same person pictured in the indictment.

The Department of Justice declined to comment on the photographs.

The artificial intelligence and cryptocurrency industries spent big and lost often in this week’s Illinois primaries, an early setback for technology firms that are trying to reshape the midterm elections and establish themselves as power players in American politics.

The companies flooded the state’s Democratic primaries with millions of dollars to promote candidates they believed would have a light touch when it came to regulating technologies that have begun to upend how people do their jobs and manage their finances.

Using super PACs that are allowed to spend unlimited sums of money, they ran television advertising and distributed campaign fliers that only occasionally alluded to their industries. Instead, the messaging focused on promises to combat President Donald Trump’s administration and support liberal policies, a strategy used by other organizations like the American Israel Public Affairs Committee.

But the coy strategy did not stop the AI and crypto industries’ interventions from becoming a lightning rod in the rowdy primaries in Illinois, where there was a rare glut of open seats that led to competitive races.

The crypto-backed political action committee Fairshake spent more than $10 million against Illinois Lt. Gov. Juliana Stratton, who ultimately won the Democratic nomination to succeed Sen. Dick Durbin, D-Ill.

Fairshake and Protect Progress, which is also tied to the crypto industry, spent millions more to unsuccessfully support Stratton’s main rivals, U.S. Reps. Raja Krishnamoorthi and Robin Kelly, according to filings with the Federal Election Commission.

In Illinois’ U.S. House primaries, the tech-backed groups’ campaign spending had mixed results.

State Rep. La Shawn Ford, who had supported state legislation regulating the AI and crypto industries, won the Democratic primary to succeed U.S. Rep. Danny Davis. Fairshake spent nearly $2.5 million opposing Ford’s candidacy in a race that featured at least four other political groups spending against the progressive lawmaker or for his opponents.

Meanwhile, Cook County Commissioner Donna Miller prevailed in the Democratic primary to succeed Kelly after Fairshake spent more than $800,000 against state Sen. Robert Peters, another progressive who supported legislation to regulate the crypto industry.

That race also saw the AI-backed spending at loggerheads.

The AI-backed Think Big PAC invested more than $1 million to boost the candidacy of Jesse Jackson Jr., a former congressman who pleaded guilty in a fraud scandal in 2013. But Jobs and Democracy PAC, another AI-backed group, also mounted about $1 million in negative campaign spending against Jackson during the race.

Think Big is a subsidiary of Leading the Future, a political group that is funded by major Silicon Valley executives, including the venture capitalist Marc Andreessen. Andreessen opposes federal regulations for AI and has been a staunch backer of the Republican president’s AI policies.

Jobs and Democracy PAC, by contrast, is funded by the AI company Anthropic, which favors some safety regulations on AI as the technology develops. Both PACs opposed progressive candidates who called for relatively heavy regulations on the technologies and higher taxes on wealthy Americans.

In a bright spot for the AI industry, former congresswoman Melissa Bean won the nomination to reclaim her old seat after a crowded and intense primary. Bean was supported by about $1 million in funding from AI-backed groups.

“She recognizes that the United States must work toward a national regulatory framework on AI that creates jobs, helps us stay ahead of China, and protects the safety of kids, users, and the community,” said Josh Vlasto, a political strategist for Leading the Future, an umbrella organization for AI political groups. “Leading the Future was proud to support her campaign and looks forward to working with leaders who will prioritize innovation over doomerism.”

The late-stage infusions of cash into the Illinois races totaled almost $20 million across races and served as a declaration of both industries’ political ambitions, raising the stakes in primaries that were already hotly contested.

“Corporate money is being used to paint corporate-backed candidates as fearless progressives,” said Adam Green, co-founder of the Progressive Change Campaign Committee, a political group that works to elect anti-corporate progressives.

“The question for the Democratic Party is whether we elect people who actually believe in these positions or will we elect milquetoast candidates who give lip service to these values but don’t back them in actual policy,” Green said.

Campaign finance experts and rank-and-file voters alike are still struggling with what to make of the technology industry’s political influence.

“They’re so new to the game that public opinion isn’t very well formed about them,” said Brian Gaines, a political science professor at the University of Illinois Urbana-Champaign. “You don’t get a clear signal for who is the progressive and who is the moderate on AI and crypto policies.”

“People are wary of the technology,” Gaines said, “but they don’t know what to think yet.”

___

Maya Sweedler contributed to this report.

Cryptocurrency payments and gift card platform Bitrefill has blamed the North Korea-linked hacking group Lazarus for a cyberattack on March 1, 2026, that compromised parts of its infrastructure and cryptocurrency wallets.

The attackers gained access to production keys, transferred funds from hot wallets, and exposed 18,500 purchase records containing emails, payment addresses, and IP addresses.

Approximately 1,000 records included encrypted usernames. Affected users were notified. Operations have resumed, with the company announcing to cover losses from operational capital. The incident underscores the importance of vigilance regarding crypto and on-chain security.

The modus operandi included malware, on-chain tracing and reused IP and email addresses and was similar to previous attacks attributed to North Korea’s Lazarus Group, also known as Bluenoroff, the company said in a detailed report on X.

The Lazarus Group has previously targeted crypto projects including Ronin Network, Harmony’s Horizon Bridge, WazirX, and Atomic Wallet.

How the attack unfolded

It all began with with a compromised employee laptop, which exposed legacy credentials and allowed attackers to access Bitrefill’s broader infrastructure, including parts of its database and cryptocurrency wallets.

The breach quickly became apparent when the company noticed unusual purchasing patterns among certain suppliers, signaling that attackers were exploiting its gift card inventory and supply chains. The firm also noted that attackers were draining some hot wallets and moving funds to their own addresses, following which, the system was taken offline to contain the damage.

“Bitrefill operates a global e-commerce business with dozens of suppliers, thousands of products, and multiple payment methods across many countries. Safely switching all these things off and bringing them back online is not trivial,” the company said in a statement.

Since the incident, Bitrefill has been working with security researchers, incident response teams, on-chain analysts, and law enforcement to investigate the breach.

Customer data impact

Hackers accessed a small set of purchase records, approximately 18,500, containing

Bitrefill said there is no evidence that customer data was a primary target. Its logs indicate that attackers ran a limited number of queries aimed at cryptocurrency holdings and gift card inventory rather than extracting the entire database.

The platform stores minimal personal data and does not require mandatory KYC. A small subset of purchase records, approximately 18,500, was accessed, containing information such as email addresses, crypto payment addresses, and metadata including IP addresses. About 1,000 records contained encrypted names for specific products; the company is treating this data as potentially compromised and has notified affected customers directly by email.

At present, Bitrefill does not believe customers need to take any additional action, though it advises caution regarding unexpected communications related to Bitrefill or cryptocurrency.

Steps to strengthen security

In response to the breach, Bitrefill said it has already strengthened its cybersecurity practices and is working to draw lessons from the incident.

The company outlined several measures, including conducting comprehensive penetration tests with external experts, tightening internal access controls, enhancing logging and monitoring for faster threat detection, and refining incident response procedures and automated shutdown protocols.

Looking forward

Bitrefill acknowledged that this was its first major attack in more than a decade of operation but stressed that it remains well-funded and profitable, capable of absorbing operational losses. Most systems, including payments, stock, and accounts, are back online, with sales volumes returning to normal.

“Getting hit by a sophisticated attack sucks (a lot),” the company said. “But we survived. We will continue to do our best to continue deserving our customers’ trust.”