The infamous ALPHV/BlackCat ransomware gang responsible for the recent UnitedHealth Group breach appears to have pulled an exit scam, posting a bogus message about the law enforcement takedown on their data leak site.

Earlier this week, reports emerged that UnitedHealth Group paid $22 million to recover access to data and systems encrypted by ALPHV/BlackCat. Around the same time, posts on hacking forums appeared from ALPHV affiliates accusing ALPHV administrators of taking the Change Healthcare ransom and disappearing with all the ransom money without sharing profits.

“We are affiliate plus who has been working with ALPHV for long time and on 1st of March 2024, the victim change healthcare - OPTU M paid ALPHV 22M as ransom to prevent data leakage and decryption key,” a message posted on the RAMP hacker forum said. “But after receiving the payment ALPHV team decide to suspend our account and keep lying and delaying when we contacted ALPHV admin on TOX.”

“he kept saying they are waiting ro chief admin and the coder until today they emptied the wallet and took all the money,” the hackers’ message goes on to say. The ALPHV affiliates added that they still have 4TB of Optum’s data.

In a message on the hacker forum, ALPHV administrators said that they decided to shut down the operation and are now selling ransomware source code for a price of $5 million.

According to cybersecurity expert Fabian Wosar, ALPHV set up a Python SimpleHTTPServer to serve the fake banner.

“An image URL like this is what Firefox and the Tor Browser create when you use the “Save page as” function to save a copy of a website to disk,” the researcher explained in a series of posts on X (formerly Twitter).

“There is absolutely zero reason why law-enforcement would just put a saved version of the takedown notice up during a seizure instead of the original takedown notice.”

Europol and the US FBI declined to comment on the seizure notice displayed on ALPHV’s leak site, while the UK’s National Crime agency denied any involvement.