DarkSide bitcoins on the move following government cyberattack against REvil ransomware group
$7 million in bitcoin held by the DarkSide ransomware group is on the move, five months after the attack on Colonial Pipeline that crippled fuel supplies along the US East coast. These funds had remained dormant since the group shut down on May 13.
DarkSide received just over $90 million in bitcoin ransom payments from around 50 victims, before shutting down shortly after the Colonial Pipeline attack. The following month US authorities seized 63.7 bitcoins that made up the affiliate’s share of the 75 BTC Colonial Pipeline ransom payment.
DarkSide is an example of “Ransomware as a Service” (RaaS). In this operating model, the malware is created by the ransomware developer, while the ransomware affiliate is responsible for infecting the target computer system and negotiating the ransom payment with the victim organisation.
The DarkSide developer maintained a wallet to hold its share of the ransom payments — including 11.3 bitcoins from the Colonial payment. On May 13, DarkSide claimed that its infrastructure, including the wallet, had been seized by an unknown third party. On the same day the wallet was emptied , with 107.8 bitcoins (then worth $5.3 million) being sent to a new bitcoin address.
