The team at the blockchain analytics company Elliptical recently announced that they followed the ransom money paid by Bitcoin (BTC) Colonial pipeline and other victims of DarkSide ransomware.
Dr. Tom Robinson, Co-Founder and Chief Scientist at Elliptic, regularly discusses crypto forensics, investigations, compliance and sanctions.
Elliptic customers can now use their transaction verification software to “check deposits on links related to this high profile incident,” the announcement said.
It was also mentioned that Elliptic managed to identify the Bitcoin wallet used by the DarkSide ransomware group to receive ransom payments from their victims based on their “message collection and analysis of blockchain transactions”.
That wallet “received the 75 BTC payment Colonial Pipeline made on May 8 after the crippling cyberattack on its operations – resulting in widespread fuel shortages in the US,” the update from Elliptic revealed.
The Elliptic team further noted:
“Our analysis shows that the wallet has been active since March 4, 2021 and has received 57 payments from 21 different wallets. Some of these payments correspond directly to the ransom known to have been paid to DarkSide by other victims, such as BTC 78.29 (worth $ 4.4 million) sent on May 11th by chemical distributor Brenntag has been. “
The update also mentioned:
“The partner’s share (the portion of the ransom that goes to the malware provider) in both the Colonial Pipeline and the Colonial Pipeline Brenntag Ransom payments were sent to the same Bitcoin address, suggesting that the same party was responsible for infecting these two companies. “
Elliptic noted that their analysis found that “on May 10, a previously unreported ransom payment for ~ $ 320,000 was made to DarkSide: the bitcoins came from the same exchange used by Colonial Pipeline.”
The blockchain analytics and security firm confirmed that “the DarkSide wallet has received bitcoin transactions totaling $ 17.5 million since March.” They pointed out that ransom “was paid to other wallets in connection with previous attacks”.
“We can also use blockchain analysis to follow the money trail and determine where DarkSide is sending its ransomware proceeds to be laundered or converted into cash. In the past few hours, it has been reported that DarkSide itself has ceased operations and seized its funds – and in fact, her wallet has been emptied of the $ 5 million bitcoin it contained on Thursday afternoon. “
Elliptic also noted that “there has been speculation that the bitcoins have been seized by the US government – if so, they have not actually seized most of the Colonial Pipeline ransom payment – most of which was released on Nov. May be taken out of the wallet. ”
Elliptic also mentioned that “tracking past wallet outflows can provide insight into how DarkSide and its affiliates laundered their past earnings”. They learned that 18% of bitcoin was “sent to a small group of exchanges”. This information will “provide important clues to law enforcement agencies in order to identify the perpetrators of these attacks,” stated Elliptic on her blog post.
They also revealed:
“Another 4% was sent to Hydra, the world’s largest darknet marketplace serving customers in Russia and neighboring countries. As we’ve found in previous research, in addition to narcotics, hacking tools, and fake IDs, Hydra also offers withdrawal services. With it, Bitcoin can be converted into gift certificates, prepaid debit cards or rubles. If you are a Russian cybercriminal and want to cash out your crypto, Hydra is an attractive option. “
They added that “by identifying this wallet, Elliptic’s customers, including financial institutions, crypto exchanges and fintechs, will now be alerted to customer deposits originating from the DarkSide wallet.”
They also mentioned that they can use their transaction and wallet screening tools to ensure that DarkSide and various other ransomware operators cannot withdraw or exchange their Bitcoin earnings, thereby “discouraging” this activity.
Elliptic’s law enforcement clients can also use the company’s software to track down funds and identify those responsible for these cyberattacks.