I'm guessing the difference was the split of the 75 between different affiliates of the hackers. Maybe the initial hackers get X and the ransomware people get Y, and X+Y = 75. They only recovered one side of that transaction.
They didn't use any tumblers, that's how they got caught.
edit: it says so in the article:
As alleged in the supporting affidavit, by reviewing the Bitcoin public ledger, law enforcement was able to track multiple transfers of bitcoin and identify that approximately 63.7 bitcoins, representing the proceeds of the victim’s ransom payment, had been transferred to a specific address
I think tumblers can be traced if they are backfired or monitored. Though perhaps that requires more assumptions than the fact that they were incompetent and didn’t use any.
>As alleged in the supporting affidavit, by reviewing the Bitcoin public ledger, law enforcement was able to track multiple transfers of bitcoin and identify that approximately 63.7 bitcoins, representing the proceeds of the victim’s ransom payment, had been transferred to a specific address
Honest question: what would a backdoored mixer look like? If it had a list of trapdoor addresses (or checked addresses in real-time) and made last-minute transaction changes, say. Would any criminal risk complaining if it identified them? Does the tumbler’s reputation have a mechanism for angry criminal user stories?
The tumblers seem like a centralized chokepoint for criminals trying to launder.
They could also get caught if say, authorities hacked the computers they were using to execute the Bitcoin tumbler "trades" (or whatever the terminology is)... or used similar means to gain access to a list of crypto wallets they owned along with their passwords.
