The U.S. Department of Justice (DoJ) has announced the seizure of $500,000 worth of Bitcoin from North Korean hackers who extorted digital payments from several organizations by using a new ransomware strain known as Maui.

“The seized funds include ransoms paid by healthcare providers in Kansas and Colorado,” the DoJ said in a press release issued Tuesday.

The recovery of the bitcoin ransoms comes after the agency said it took control of two cryptocurrency accounts that were used to receive payments to the tune of $100,000 and $120,000 from the medical centers. The DoJ did not disclose where the rest of the payments originated from.

“Reporting cyber incidents to law enforcement and cooperating with investigations not only protects the United States, it is also good business,” said Assistant Attorney General Matthew G. Olsen of the DoJ’s National Security Division. “The reimbursement to these victims of the ransom shows why it pays to work with law enforcement.”

Earlier this month, U.S. cybersecurity and intelligence agencies issued a joint advisory calling attention to the use of Maui ransomware by North Korean government-backed hackers to target the healthcare sector since at least May 2021.

The incident targeting the unnamed Kansas facility is said to have occurred around the same time, prompting the Federal Bureau of Investigation (FBI) to uncover the never-before-seen ransomware strain.

It’s currently not known how the seizure was orchestrated, but it’s possible that it could have been carried out by following the money laundering trails to a cryptocurrency exchange that offers cash-out services to convert their illicit proceeds from bitcoin to fiat currency.

Besides espionage, North Korean threat actors have a storied history of directing financially-motivated hacks for the sanctions-hit nation in a multitude of ways, including targeting blockchain companies and leveraging cryptocurrency heists by making use of rogue wallet apps and exploiting crypto asset bridges.

Viewed in that light, ransomware adds yet another dimension to its multi-pronged approach of generating illegal revenues that help further its economic and security priorities.

The disruption highlights the U.S. government’s continued success with cracking down on crypto-oriented criminal activities, enabling it to recoup ransomware payments associated with DarkSide and REvil as well as funds stolen in connection with the 2016 Bitfinex hack.

The development also follows a notification from the FBI, which warned that threat actors are offering victims what appear to be investment services from legitimate companies to trick them into downloading rogue crypto wallet apps aimed at defrauding them.