$6.8M in Bitcoin held by DarkSide ransomware group on the move

By: Daniela Kirova
Daniela Kirova
Daniela was born in Bulgaria, grew up in Chicago, and then moved to Michigan to attend the University of… read more.
on Oct 22, 2021
  • The attack on Colonial put the petroleum supplies of five US states at risk
  • DarkSide got about $5 million in ransom, money didn't move until yesterday
  • REvil was hacked and forced offline in a US government-led operation this week

Bitcoin (BTC/USD) worth $6.8 million held by the DarkSide ransomware group, which was involved in the Colonial Pipeline attack in May, is on the move, analytics company Elliptic reported, cited by CoinDesk. The analyst associates the activity with another ransomware group – REvil, which is closely connected to DarkSide.

Ransom was dormant until yesterday

After the attack on Colonial, which put the petroleum supplies of five US states at risk, DarkSide got about $5 million in ransom. Its share didn’t shift until October 21, Elliptic said Friday in a blog. At first, the victim refused to pay, but eventually did so. According to insiders, their biggest wish was to restore functionality to the biggest pipeline in the US.

Elliptic identified DarkSide wallet, ransom payments keep coming

Are you looking for fast-news, hot-tips and market analysis? Sign-up for the Invezz newsletter, today.

DarkSide, who describes itself as developer of “ransomware as a service,” kept a wallet for its share of the ransom. Elliptic identified it through blockchain transaction analysis and its intelligence collection. This wallet received the ransom on May 8 after the cyberattack, which caused fuel shortages nationwide.

This wallet has been active for more than six months now. In that time, it has received 57 payments from 21 different wallets. These include ransoms known to have been paid by the group’s other victims. DarkSide has received Bitcoin transactions worth $17.5 million in total since opening the wallet, Elliptic said.

DarkSide wallet presumably claimed by REvil

DarkSide informed an unknown third party had claimed its wallet. This party sent 107.8 BTC ($6.8 million) to a new address. This sum was sent over a period of few hours through a series of new wallets, with small sums being transferred at each step, making the funds harder to trace.

US government forces REvil offline

Elliptic associates this activity with ransomware group REvil, which was hacked and forced offline in a US government-led operation this week. According to VMWare head of cybersecurity strategy Tom Kellermann, intelligence staff and law enforcement prevented the group from inflicting further damage:

The FBI, in conjunction with Cyber Command, the Secret Service and like-minded countries, have truly engaged in significant disruptive actions against these groups. REvil was top of the list.

Invest in crypto, stocks, ETFs & more in minutes with our preferred broker, eToro
67% of retail CFD accounts lose money