$7 million in Bitcoin held by the DarkSide ransomware group is on the move, five months after the Colonial Pipeline attack crippled fuel supplies along the US East Coast. These funds have remained inactive since the group closed on May 13.
DarkSide received just over $90 million in Bitcoin ransom payments of around 50 victims, before it was closed shortly after the colonial pipeline attack. The following month, US authorities confiscated 63.7 Bitcoins which was the affiliate’s share of the 75 BTC Colonial Pipeline ransom payment.
DarkSide is an example of “ransomware as a service” (RaaS). In this operating model, the malware is created by the ransomware developer, while the ransomware affiliate is responsible for infecting the target’s computer system and negotiating a ransom payment with the victim’s organization.
The DarkSide developer maintained a wallet to hold his share of the ransom payments — including 11.3 Bitcoins from the Colonial payment. May 13 DarkSide claimed that his infrastructure, including his wallet, was seized by an unknown third party. The same day the wallet was emptiedwith 107.8 bitcoins (then worth $5.3 million) sent to the new bitcoin address.
These funds remained inactive until yesterday (October 21). Starting at 7:00 GMT, the funds, now worth $7 million, were moved through a series of new wallets over the course of several hours, with small amounts being “peeled off” at each step.
This is a common money laundering technique, used to try to make it harder to trace funds and help convert them into fiat currency through exchanges. The process is ongoing, but small amounts of funds have already been sent to known exchanges.
The movement of inactive DarkSide funds comes on the same day as it was registered that the REvil ransomware group was hacked and forced onto the Internet in a government-led operation. DarkSide was strongly associated with REvillawith ransomware groups sharing similarly structured ransom notes and using the same code.
Elliptic’s clients, including financial institutions and cryptocurrency exchanges, can be alerted to all client deposits originating from DarkSide wallets using our solutions for viewing transactions and wallets.
Americas Crypto Crime Articles