The team at blockchain analytics firm Elliptic revealed recently that they followed the Bitcoin (BTC) ransoms paid by Colonial Pipeline and other DarkSide ransomware victims.
Dr. Tom Robinson, Co-founder and Chief Scientist at Elliptic, regularly discusses crypto forensics, investigations, compliance, and sanctions.
Elliptic clients are now able to use their transaction screening software to “screen deposits for links to this high-profile incident, ” the announcement noted.
It also mentioned that Elliptic has managed to identify the Bitcoin wallet used by the DarkSide ransomware group in order to receive ransom payments from its victims, based on their “intelligence collection and analysis of blockchain transactions.”
This wallet “received the 75 BTC payment made by Colonial Pipeline on May 8, following the crippling cyberattack on its operations – leading to widespread fuel shortages in the US,” the update from Elliptic revealed.
The Elliptic team further noted:
“Our analysis shows that the wallet has been active since 4th March 2021 and has received 57 payments from 21 different wallets. Some of these payments directly match ransoms known to have been paid to DarkSide by other victims, such as 78.29 BTC (worth $4.4 million) sent by chemical distribution company Brenntag on May 11.”
The update also mentioned:
“The affiliate’s share (the part of the ransom that goes to the deployer of the malware) of both the Colonial Pipeline and Brenntag ransom payments were sent to the same Bitcoin address, suggesting that the same party was responsible for infecting both of these businesses.”
Elliptic further noted that their analysis reveals that a “previously unreported ransom payment for ~$320,000 was made to DarkSide on the 10th May: the bitcoins originated from the same exchange used by Colonial Pipeline.”
The blockchain analytics and security firm confirmed that “in total, the DarkSide wallet has received Bitcoin transactions since March with a total value of $17.5 million.” They pointed out that ransoms “associated with previous attacks were paid to other wallets.”
Elliptic added:
“We can also use blockchain analysis to follow the money trail and determine where DarkSide is sending its ransomware proceeds, to launder them or convert them to cash. It has been reported within the past hours that DarkSide itself has ceased operations and has had its funds seized – and indeed their wallet was emptied of the $5 million in Bitcoin it contained on Thursday afternoon.”
Elliptic also noted that there’s been “speculation that the bitcoins were seized by the US government – if that is the case they didn’t actually seize most of Colonial Pipeline’s ransom payment – the majority of that was moved out of the wallet on the 9th May.”
Elliptic also mentioned that “by tracing previous outflows from the wallet, we can gain insights into how DarkSide and its affiliates were laundering their previous proceeds.” They learned that 18% of the Bitcoin was “sent to a small group of exchanges.” This information will “provide law enforcement with critical leads to identify the perpetrators of these attacks,” Elliptic noted in their blog post.
They also revealed:
“An additional 4% has been sent to Hydra, the world’s largest darknet marketplace, servicing customers in Russia and neighboring countries. As we revealed in previous research, Hydra offers cash-out services alongside narcotics, hacking tools and fake IDs. These allow Bitcoin to be converted into gift vouchers, prepaid debit cards or cash Rubles. If you’re a Russian cybercriminal and you want to cash-out your crypto, then Hydra is an attractive option.”
They added that “by identifying this wallet, Elliptic’s clients, including financial institutions, crypto exchanges and fintechs will now be alerted to any client deposits that originate from the DarkSide wallet.”
They also mentioned that by using their transaction and wallet screening tools they are able to ensure that DarkSide and various other ransomware operators are not able to cash-out or exchange their Bitcoin proceeds, thus “disincentivizing” this activity.
Elliptic’s law enforcement clients can also use the company’s software to trace funds and identify those responsible for these cyberattacks.