No charity wants to turn down donations, particularly in the middle of a funding crunch. But what if donations come from a surprising source – hackers?
While it may sound like a modern-day version of Robin Hood – electronically stealing money from companies and corporations, and giving it back digitally via bitcoin to charities – when the money comes from the proceeds of crime, the law is clear: it must be rejected.
And what is the charity to do when it doesn’t know who donated the money, who it was stolen from, or how to return it in the first place.
Cybercrime group Darkside placed two US charities in that unfortunate position last week, when it revealed that it had donated 0.88 bitcoin – worth $10,000 – to Children International and The Water Project.
The donations came, the group wrote on in a “press release” on its darknet website, because “no matter how bad you think our work is, we are pleased to know that we helped change someone’s life”.
Brian Higgins, a security specialist at Comparitech.com, said the move was just attention-seeking from Darkside. “Firstly, $10,000 is a paltry sum in comparison to the vast amounts of money they’ve extorted from their victims over the years so it’s hardly a grand philanthropic gesture and, secondly, no credible charity is ever going to accept donations which are demonstrably the proceeds of crime.
“There’s a small possibility this is some kind of test to see if they could launder their criminal proceeds somehow but it’s more probable that Darkside clearly have too much time on their hands and too much stolen money knocking about in their bitcoin wallets. If they were really serious about ‘making the world a better place’ they’d all sell their laptops and stay off the internet.”
Darkside makes ransomware, software that encrypts computers, rendering them inoperable unless the encryption key is bought – often for huge sums of money.
Brokered by The Giving Block, which helps charities receive donations in cryptocurrencies such as bitcoin, ether and zcash, the donations were received by the charities involved before Darkside publicised its gifting.
That leaves them in an awkward place. In its guidance to charities, the Institute of Fundraisers says: “Donations to charities should only be rejected in exceptional circumstances, when it would be unlawful to accept it (eg, the organisation knows that the gift comprises the proceeds of crime) or accepting the donation would be detrimental to the achievement of the purposes of the organisation, as set out in its constitution.”
Children International said: “We are aware of the situation and are researching it internally; it is a first for us. If the donation is linked to a hacker, we have no intention of keeping it.”
After initial media coverage of the group’s donation, Darkside updated its post with another pair of warnings. Giving Block was told that the money was sent “through a mixer”, a form of automatic money laundering that obscures the true sender of bitcoin from the recipient, “so don’t try to get it back anywhere”.
Darkside also warned that coverage of its donations was “only harming the company that processes the donations, as well as the companies who received them”.
“Do not publish company names,” the group threatened. “The next donations will be made anonymously.”
The charity donations are part of a bizarre branding effort on the part of the group to portray itself as different from common-or-garden criminals. In a statement of intent posted in August, as it began operations, it said: “We created DarkSide because we didn’t find the perfect product for us. Now we have it.”
“Based on our principles,” the group said, it would not attack hospitals, schools, governments or charities. “We only attack companies that can pay the requested amount, we do not want to kill your business. Before any attack, we carefully analyze your accountancy and determine how much you can pay based on your net income.”
In one way at least, it really is different from many ransomware outfits that came before. As well as encrypting computers, the outfit also uploads the hacked data to its own servers, where, if the ransom is not paid in time, it publishes the entire contents.
This sort of attack, known as “doxware”, was first seen in 2017, when it was used to extort individual patients at a Lithuanian cosmetic surgery clinic: they were told to pay up or their personal information would be published for all to see.