Blockchain investigation company Crystal Blockchain has announced the discovery of bitcoin wallets used by DarkSide cyber ransomware group to obtain a ransom from Colonial Pipeline.
Last week, the American fuel giant Colonial Pipeline had to suspend its operations for six days due to a cyberattack using ransomware DarkSide. On May 8, the company paid the extortionists 75 bitcoins (about $5 million) and was able to start rebuilding soon after.As previously reported by the information security company Elliptic, it also managed to identify the address of the DarkSide wallet, but it decided not to publish it. However, Crystal Blockchain found no reason to hide it from the public and provided the address to CoinDesk readers – bc1q7eqww9dmm9p48hx5yz5gcvmncu65w43wfytpsf.
According to Kyrylo Chykhradze, Product Director of Crystal Blockchain, there are several facts indicating that this particular address was used by DarkSide to obtain ransom from its victims.
Brenntag, another DarkSide victim, paid the ransom on May 11th. Elliptic also cited this transaction as additional evidence pointing to hacker-linked bitcoin addresses. Another piece of evidence cited by both Elliptic and Crystal: the last transaction involving these addresses took place on Thursday, May 13, the day the DarkSide faction lost access to their servers.
According to Crystal Blockchain, the DarkSide cluster included 30 addresses, to which a total of 321.5 bitcoins have been transferred since the first transaction on March 4. All of these funds eventually left the cluster, with the largest amount sent to the Binance cryptocurrency exchange (over 53.3 bitcoins, or 16% of all funds).
The second largest recipient of funds is the underground marketplace Hydra, which received more than 14.6 bitcoins (4.5% of funds) from DarkSide wallets.
Other recipients of DarkSide funds include the little-known exchanges Ren, Zillion Bits, as well as the centralized exchange Poloniex in the US and Garantex in Estonia. Smaller amounts have also been sent to other well-known major exchanges and peer-to-peer crypto platforms including Coinbase, Huobi, OKEx, Paxful, and LocalBitcoins. A relatively small amount ended up in a secure Wasabi wallet.
The last transaction involving the aforementioned address clusters occurred on May 13, when 107 bitcoins were sent to a single unknown address that was active for only one day and received only three incoming transactions. Currently 107 bitcoins worth over $4.5 are still in this wallet. It is unknown, who owns them.