The US Department of Justice has seized $500,000 (£417,000) worth of Bitcoin from suspected North Korean hackers.
The hackers attacked healthcare providers with a new strain of ransomware, extorting the funds from several organisations.
US authorities say they have already returned ransom payments to two hospital groups.
The rare successful seizure comes as US authorities warn that North Korea is becoming a major ransomware threat.
In a conference on Tuesday, Deputy Attorney General Lisa O. Monaco praised an unnamed Kansas hospital for alerting the FBI early about the ransomware attack.
"Not only did this allow us to recover their ransom payment as well as a ransom paid by previously unknown victims, but we were also able to identify a previously unidentified ransomware strain," she said.
Hackers targeted hospital
According to court documents, hackers used the ransomware strain called Maui to encrypt the files and servers of a medical centre in Kansas in May 2021.
Typically, ransomware hackers will use malicious software to scramble data or lock users out of the system until a ransom is paid.
The Kansas hospital spent a week not being able to access its IT systems, then decided to pay approximately $100,000 in Bitcoin to regain the use of its computers and equipment.
It is not illegal to pay hacker ransoms, but it is discouraged by law enforcement organisations around the world.
The FBI says it was swiftly notified about the payment by the medical centre, which meant officers were able to identify the never-before-seen ransomware linked to North Korea and trace the cryptocurrency to China-based money launderers.
Agents were also able to identify another $120,000 Bitcoin payment made to one of the criminal cryptocurrency accounts. This turned out to be a medical provider in Colorado which had just paid a ransom after also being hacked by the Maui ransomware criminals.
The FBI says it has returned the money to the two healthcare providers, but has not said from where the rest of the seized funds have come.