The Long Game: How the FBI Monitored a Ransomware Empire for 11 Months Before Striking

DES MOINES, Iowa — It was 4:12 a.m. on March 8, 2026, when the stillness of the Iowa night was shattered by the synchronized thunder of breaching charges. Across four states, 37 FBI agents in full tactical gear surged simultaneously into server rooms and private residences. Their target: the “Black Ripple” ransomware crew, a sophisticated criminal syndicate that had held the American healthcare sector hostage for the better part of a year.

By the time the dust settled, six operators were in federal custody, their infrastructure seized, and their cryptocurrency wallets drained. But behind the triumph of the largest coordinated ransomware takedown in bureau history lies a darker, more uncomfortable reality: for nearly a year, federal agents had been watching the crew from the inside, silent witnesses to the very crimes they eventually dismantled.

For 11 months, the FBI’s cyber division had been embedded within Black Ripple’s digital infrastructure. They logged every keystroke, monitored every wallet transfer, and intercepted every private message. They watched as the crew encrypted patient records, froze ICU monitoring systems, and turned hospital networks into ghost towns. They had the power to stop the rampage months earlier, but they didn’t.

In the cold calculation of the FBI’s fifth-floor conference room at the J. Edgar Hoover Building, the Bureau had weighed the immediate safety of patients against the total annihilation of a criminal network. They chose the latter. It was a strategic gamble that prioritized long-term intelligence over immediate relief—a decision that has now sparked a fierce debate over ethics, accountability, and the cost of justice in the digital age.

The Whistleblower and the Tap

The genesis of the takedown was not a grand cyber-espionage breakthrough, but a disgruntled former employee. In January 2025, Dennis Hurley, a former systems engineer at the Midwest Data Vault in Des Moines, walked into the local FBI field office. He carried a USB drive and a story of suspicious outbound traffic patterns emanating from a server cage rented by a Delaware LLC called Forland Holdings.

Hurley, who had been fired the previous November, was no altruist; he admitted later that he had initially considered blackmailing the tenants himself before deciding the risk was too great. What he provided, however, was a map: the cage’s physical layout, access logs showing men working at 4:00 a.m., and, most crucially, the location of a fiber uplink running through a maintenance corridor.

Within nine days, the FBI had a court order and a plan. Under the cover of a routine maintenance window, agents installed a passive optical splitter on the fiber line. Two technicians, kept in the dark about the true nature of their task, thought they were merely upgrading a line. In reality, they were piping every packet of data flowing into and out of the Black Ripple cage to a dedicated FBI collection server seven miles away.

By February, the Bureau had identified the players. The core group was a mix of U.S. citizens—including former Department of Defense contractors Cody Farnum and Trevor Linker—and two foreign nationals operating on expired student visas. They were talented, technically proficient, and, they believed, untouchable.

The Calculus of Complicity

The FBI’s decision to allow the attacks to continue is laid out in an operational memorandum filed under seal in the Southern District of Iowa. The logic was clear: Black Ripple was merely a node in a much larger, global criminal organism. The group rented infrastructure from Eastern European affiliates, sold access to brokers in other countries, and laundered money through networks in Dubai and the Seychelles.

Had the Bureau acted in March 2025, the Hydra would have simply grown a new head. The affiliate program would have rotated its infrastructure within 48 hours, the launderers would have vanished, and the trail would have gone cold.

“The cost of that decision was written in hospital beds,” says one source close to the investigation. Throughout the spring and summer of 2025, Black Ripple struck healthcare targets from Tennessee to Georgia. Ransom demands ranged from $400,000 to nearly $5 million. Some hospitals paid; others scrambled to rebuild from backups, losing days of patient care in the process.

The FBI watched every attack in real time. They knew the target list before the emails hit the IT desks. They knew the ransom amounts before the victims did. They were building a financial map, meticulously tracking the flow of cryptocurrency—specifically Monero, which the crew erroneously believed was impossible to trace.

“Monero wasn’t the problem,” says cybersecurity expert Sarah Jenkins. “Black Ripple was sloppy at the edges. They eventually had to convert that crypto into dollars, and that meant using exchanges. Exchanges mean ‘Know Your Customer’ protocols, and those protocols meant the FBI could tie wallets to driver’s licenses.”

The “Clean” Cutout

The investigation took a tragic turn regarding the involvement of 23-year-old Kira Delane. A part-time bookkeeper in Wilmington, Delaware, Delane had been recruited by her uncle—who turned out to be a cousin of the crew’s leader, Cody Farnum—to register Forland Holdings.

Delane, who had no connection to cybersecurity and couldn’t identify a server cage if she saw one, was offered $300 a month to handle the paperwork for what she was told was a software consulting business. When agents finally interviewed her in February 2026, she was devastated to learn her name was on the lease for the criminal infrastructure.

Today, she is named as “Defendant 7” in the federal indictment, facing up to 30 years in prison for conspiracy to commit computer fraud. Her attorney argues she is a victim of fraud herself, but federal prosecutors maintain a firm line: willful blindness is no defense.

The Brink of Collapse

The operation nearly fell apart in December 2025. Trevor Linker, one of the operators, noticed a slight “lag” in the command-and-control server. The FBI’s own collection software, having been updated, had created a millisecond-level delay.

“Are we being watched?” Linker posted in the crew’s chat.

For 11 hours, the FBI faced a crisis. If they arrested the crew immediately, they would lose the broader network. If they did nothing, they risked the destruction of the evidence they had spent months gathering. In a move that highlights the high-stakes, improvisational nature of modern cyberwarfare, the Bureau pushed a remote patch to the collection server to eliminate the latency. Simultaneously, they utilized a flipped affiliate to post on a forum suggesting the lag was a widespread industry glitch. Linker bought it. The operation continued.

The Final Wave

The decision to conclude the operation was made on January 29, 2026. The debate was whether to wait for one more campaign. They chose to wait—a decision that almost resulted in catastrophe.

Black Ripple’s final act was their most ambitious: a coordinated assault on 47 hospitals on a single morning. The goal was to force the U.S. healthcare sector into a nationwide panic and retire on the proceeds. On November 17, 2025, the ransomware notes landed.

The FBI had the decryption keys, prepositioned at CISA (the Cybersecurity and Infrastructure Security Agency), ready to be released. Yet, they held back. They allowed the hospitals to operate in crisis mode for 72 hours, needing the crew to trigger the final movement of funds into exchange accounts in Dubai and Singapore.

“The Bureau made the right call, and it is still an ugly call,” says a former Justice Department official. “Patient care was delayed. Elective surgeries were postponed. It’s the kind of decision that should never be quiet, yet it was.”

The Aftermath

When the raids finally occurred in March, the FBI found more than just servers. Hidden in a document case inside the server cage was a hard drive containing 1.4 terabytes of patient data—medical records, diagnostic imaging, and billing information from hospitals hit over the previous two years. The crew had lied to their victims; instead of deleting the data upon payment, they had kept it as leverage for future extortion.

Now, over 340 hospitals are grappling with the news that their patients’ most sensitive data remains in the hands of the criminal justice system, or perhaps—for those affiliates still in Latvia and Moldova—still circulating on the dark web.

As the trials for Cody Farnum and Ashton Re approach this summer, the legacy of Black Ripple remains a cautionary tale. The FBI dismantled the crew, but the economic reality that made them successful remains untouched. Hospitals are still vulnerable, and their data is still the most valuable currency on the dark web.

The Bureau won the battle, but the war for the integrity of the American healthcare network continues. For the families whose medical records were held for ransom, and for the administrators who were kept in the dark while the FBI watched the clock, the victory feels significantly less like justice and more like a necessary, but deeply hollow, tactical win.