The group of cybercriminals who operate the DarkSide ransomware may have made no less than $ 90 million from their activities, say experts at the company Crystal Blockchain. They announced the discovery of a bitcoin address used by the cyber ransomware group DarkSide to obtain the ransom from the Colonial Pipeline. Last week, American fuel giant Colonial Pipeline had to suspend operations for six days due to a cyber attack by the DarkSide ransomware. On May 8, the company paid cybercriminals 75 bitcoins (about $ 5 million) and was soon able to begin restoring the service.
Information security firm Elliptic was also able to identify the DarkSide wallet address, but decided not to publish it. Crystal Blockchain saw no reason to hide it from the public and gave the address to CoinDesk readers. According to Kyrylo Chykhradze, product director at Crystal Blockchain, there are several facts indicating that this particular address was used by DarkSide to obtain ransom for its victims.
“We identify transactions on the blockchain knowing the date of the transaction and the amount sent. We analyzed each potential cluster (addresses) and found additional evidence in one: a $ 4.4 million or 78 BTC transaction sent by the chemical distribution company Brenntag, ”said Chikhradze.
Brenntag, another DarkSide victim, paid the ransom on May 11. Elliptic also cited this transaction as additional evidence pointing to hacker-linked bitcoin addresses. Another piece of evidence cited by Elliptic and Crystal: the last transaction involving these addresses took place on Thursday, May 13, the day the DarkSide faction lost access to its servers.
According to Crystal Blockchain, the DarkSide cluster included 30 addresses, to which a total of 321.5 bitcoins have been transferred since the first transaction on March 4. All of these funds eventually left the cluster, with the largest amount sent to the cryptocurrency exchange Binance (more than 53.3 bitcoins, or 16% of all funds).
The second largest recipient of funds is the underground market Hydra, which received more than 14.6 bitcoins (4.5% of funds) from DarkSide wallets. Hydra is the largest drug market in the world, operating mainly in Russia and Eastern Europe.
Other recipients of DarkSide funds include little-known exchanges such as Ren, Zillion Bits, as well as the centralized Poloniex exchange in the USA and Garantex in Estonia. Smaller amounts have also been sent to other major exchanges and well-known end-to-end cryptography platforms, including Coinbase, Huobi, OKEx, Paxful and LocalBitcoins. A relatively small amount ended up in a Wasabi safe wallet.
The last transaction involving the mentioned address clusters occurred on May 13, when 107 bitcoins were sent to a single unknown address that was active for only one day and received only three incoming transactions. Currently 107 bitcoins worth more than $ 4.5 million are still in this portfolio, whose owner is unknown.