Elliptic Tracks Bitcoin Wallet Used For Ransom Paid by Colonial Pipeline

Security researchers at Eliptic have identified the Bitcoin digital wallet used by the criminal gang DarkSide to extract ransoms from their victims.

On Friday 7 May a major pipeline (Colonial Pipeline) in the United States was attacked by DarkSide, causing widespread fuel shortages on the US east coast.

Indeed, so serious was the attack that the US government engaged emergency powers and US President Joe Biden received “personal briefings” about the cyberattack.

US disruption

The Colonial Pipeline runs between Texas and New Jersey and is 5,500 mile long.

It carries 2.5 million barrels a day, which translates to 45 percent of the fuel supply for the US East Coast. It includes diesel, petrol and jet fuel.

It serves 90 US military installations and 26 oil refineries, as well as Atlanta airport – a busy regional airhub for America.

The devastation after the attack caused DarkSide, a criminal gang located in either Russia or Eastern Europe, to publicly declare they were not carrying out the attack for political purposes, but rather were just seeking to make money.

Last week British Foreign Secretary Dominic Raab warned Russia that it cannot continue to shelter criminal gangs carrying out ransomware attacks on Western nations.

US retaliation?

But it seems that crime does pay for some, after it emerged last week that Colonial Pipeline had actually paid DarkSide $5 million in ransom.

But the retribution and fallout continues, and last week DarkSide reportedly closed down, after unknown actors shut down the servers of the group.

US cyber security firm Recorded Future said that Darkside had admitted in a web post that it lost access to certain servers used for its web blog and for payments.

It has been reported that the US military’s Cyber Command may have downed DarkSide, after the Twitter account of the Pentagon’s 780th Military Intelligence Brigade, a hacking unit, had retweeted the Recorded Future report shortly after it came out.

Bitcoin wallet

And last Friday London-based blockchain analytics firm Elliptic identified the Bitcoin wallet used by DarkSide.

“This wallet received the 75 BTC payment made by Colonial Pipeline on 8 May, following the crippling cyberattack on its operations – leading to widespread fuel shortages in the US,” Elliptic blogged.

“Our analysis shows that the wallet has been active since 4th March 2021 and has received 57 payments from 21 different wallets,” it added. “Some of these payments directly match ransoms known to have been paid to DarkSide by other victims, such as 78.29 BTC (worth $4.4 million) sent by chemical distribution company Brenntag on 11 May.”

It said that the DarkSide wallet has received Bitcoin transactions since March with a total value of $17.5 million.

The $5m Colonial Pipeline payment was emptied from the Bitcoin wallet last Thursday (13 May), but the vast bulk of other paid ransoms was moved out of the wallet on Sunday 9 May.

Ransoms associated with previous attacks were paid to other wallets.

Elliptic in a new blog post on Tuesday said DarkSide and its affiliates had bagged at least $90 million in bitcoin ransom payments, originating from 47 distinct cryptocurrency wallets.

Elliptic suggested that approximately 47 percent of victims paid a ransom, and that the average payment was $1.9 million.

“Using Elliptic’s blockchain analytics we can follow the ransom payments and see where the bitcoins are being spent or exchanged,” it said. “What we find is that the majority of the funds are being sent to cryptoasset exchanges, where they can be swapped for other cryptoassets, or fiat currency.”