FBI Cyber Agents Dismantle Ransomware Crew Hidden in Albuquerque Auto Body Shop

The Body Shop Ransomware: FBI Dismantles $74M Cyber-Crime Ring Hidden in Albuquerque

ALBUQUERQUE, NM — In the early hours of January 14, 2026, a tactical team of 42 FBI agents descended upon Sandia Custom Auto Body. To the neighbors on Candelaria Road, the shop was a local staple with a 4.6-star Yelp rating and an owner who sponsored Little League. But inside, behind a hidden wireless network, federal agents interrupted a live ransomware negotiation, uncovering one of the most prolific domestic cyber-criminal operations in U.S. history.

The “Shopkeeper” Signature

The investigation, codenamed “Operation Wrench Victor,” began after a devastating ransomware attack on Marian Regional Medical Center in Ohio. The hospital’s pediatric ICU and surgical schedules were frozen by a strain of code the FBI identified as “Shopkeeper.”

Special Agent Lauren Pacheco of the FBI’s Cyber Division tracked the ransom payment—a $4 million transaction in Monero—through a compromised cryptocurrency mixer. Despite the layers of obfuscation, the trail led to a residential IP address in Albuquerque registered to Brandon Kefir, the 27-year-old owner of the auto body shop.

Hidden in Plain Sight

For 18 months, the crew—consisting of four men in their late 20s—operated a “Ransomware-as-a-Service” (RaaS) model. While Kefir spent his days painting bumpers and fixing dents, he and his associates managed an affiliate network of 183 smaller criminal groups.

The Crew: The team included a computer science dropout, a former municipal water authority IT contractor, and a fired penetration tester.

The Infrastructure: The group maintained a primary server rack in the back of the shop and a redundant “expansion” site in a Rio Rancho storage unit.

The Victims: Over 340 organizations were extorted, including hospitals, school districts, and water utilities.

The $9 Million Cutlass

While the digital evidence was staggering, the physical evidence found in the shop’s vehicle bays was unprecedented. Using magnetometers and boroscopes, Treasury agents discovered that the crew had been converting digital ransoms into physical gold and cash.

1987 Oldsmobile Cutlass: Agents recovered $9 million in 1kg gold bars (312 bars total) welded into a custom steel compartment in the chassis.

1972 Plymouth Satellite: $140,000 in vacuum-sealed cash was found inside the differential housing.

2015 Ford Mustang: Approximately $2 million in Bitcoin hardware wallets were hidden within the frame rails.

The Missing Millions and “Operator 5”

Despite the recovery of $31 million in assets, the investigation has revealed a massive deficit. Of the $74 million collected in ransoms, $43 million remains missing.

FBI analysts suspect the involvement of a fifth individual, known in encrypted chats only as “The Broker.” This person allegedly handled negotiations and took a separate cut of the profits through unmapped channels. As of the current indictment, “Operator 5” remains at large.

A Domestic Threat

The Albuquerque case has forced a shift in federal policy. Long framed as a foreign threat from Russia or North Korea, ransomware has been “domesticated.” “These men weren’t in a basement in Volgograd,” one analyst noted. “They were a 10-minute drive from an Olive Garden.”

The four suspects face a 47-count indictment, including conspiracy to commit computer fraud and reckless endangerment. As they await their October 2026 trial, the 1987 Cutlass sits in a federal warehouse—a $9 million relic of a crime that operated in the gap between honest labor and digital sociopathy.