• DarkSide ransomware group is on the move with $6.8 million in Bitcoin

  • Bitcoin (BTC/USD) worth $6.8 million is being moved by the DarkSide ransomware group, which was involved in the Colonial Pipeline attack in May, according to analytics firm Elliptic. The activity is linked to another ransomware group, REvil, which is closely related to DarkSide, according to the analyst.

    Until yesterday, Ransom was dormant.

    Following the attack on Colonial, which threatened the petroleum supplies of five US states, DarkSide received approximately $5 million in ransom. Elliptic said in a blog post on Friday that its share didn’t change until October 21. The victim initially refused to pay, but eventually agreed. According to insiders, their top priority was to reactivate the largest pipeline in the United States.

    Elliptic discovered the DarkSide wallet, and ransom payments continue to pour in.

    DarkSide, which describes itself as a “ransomware as a service” developer, kept a wallet for its share of the ransom. Elliptic discovered it through blockchain transaction analysis and intelligence gathering. This wallet received the ransom on May 8, following the cyberattack that caused nationwide fuel shortages.

    This wallet has been in use for over six months. It has received 57 payments from 21 different wallets during that time. These include ransoms known to have been paid by other victims of the group. Elliptic stated that DarkSide has received Bitcoin transactions totaling $17.5 million since the wallet’s inception.

    REvil is rumored to have claimed the DarkSide wallet.

    DarkSide reported that an unidentified third party had claimed its wallet. This individual transferred 107.8 BTC ($6.8 million) to a new address. This sum was transferred over a few hours through a series of new wallets, with small sums transferred at each step, making the funds more difficult to trace.

    REvil is being forced offline by the US government.

    Elliptic associates this activity with the ransomware group REvil, which was hacked and forced offline earlier this week in a US government-led operation. According to VMWare’s head of cybersecurity strategy, Tom Kellermann, intelligence and law enforcement personnel stopped the group from causing further harm:

    The FBI, in collaboration with Cyber Command, the Secret Service, and other countries, has engaged in significant disruptive actions against these organizations. REvil was at the top of the list.

    What's your reaction?