DarkSide is a Ransomware-as-a-Service (RaaS) operator responsible for the Colonial Pipeline ransomware attack in May last month, which caused gasoline futures to rise to their highest level in 3 years and disrupted fuel delivery across the Southeastern U.S. This article highlights what we know about DarkSide and explains how BTC flows among its network. Transaction hashes and specific entities have been omitted to protect the integrity of ongoing investigations.
💻 Who Is DarkSide?
DarkSide is a cyber crime organization in the business of developing ransomware software and then leasing the ransomware to a specific network of “Affiliates” (hackers) who then extort bitcoin from large organizations. They first appeared on Russian forums in August 2020 and are highly organized. Some interesting highlights:
- Ransom payments are specific to a victim’s net income. Per a DarkSide post: “We only attack companies that can pay the requested amount, we do not want to kill your business.”
- Per their “Principles,” DarkSide says it would not attack medical organizations, funeral services, schools/universities, non-profit organizations, or governments.
- Provided a live chat support for victims to communicate with hackers.
- Ran a victim-shaming blog (seized by the Dept. of Justice) which published sensitive data of victims that did not pay ransom demands.
- Offered cybersecurity advice to victims who did pay ransom.
- Would sell information about upcoming publicly-traded victims who had not paid ransom, so that Buyers could short the victim’s stock in advance. Per a DarkSide post: “Now our team and partners encrypt many companies that are trading on NASDAQ and other stock exchanges. If the company refuses to pay, we are ready to provide information before the publication, so that it would be possible to earn in the reduction price of shares. Write to us in ‘Contact Us’ and we will provide you with detailed information.” (Source)
💸 Following the Money
Blockchain data reveals that DarkSide Admins and Affiliates generated ~2,369.13 BTC via 74 transfers from multiple ransomware campaigns between 10/6/2020 and 5/11/2021. Interestingly, most of the BTC sourced by the victims appear to have originated from two U.S.-based OTC Exchanges.
Surprisingly, it appears as though DarkSide only sent ~113.47 BTC to a bitcoin mixing service which is now reportedly offline.
DarkSide’s preferred liquidity providers were two well-known, non-U.S. Exchanges; Exchange #1 received a total of ~796.6 BTC from DarkSide and Exchange #2 received 784.47 BTC.
One of the most interesting DarkSide wallet clusters received 1,637.86 BTC via 215 transfers between 02/20/2018 and 5/9/2021; approximately 595.33 BTC of the 1,637.86 BTC were funds extorted via the NetWalker/Mailto ransomware campaign between 5/30/2020 and 6/30/2020. The 69.6 BTC seized by the FBI were received from this cluster of DarkSide wallets on 5/28/2021, and then split between two wallets on 6/7/2021.
While it is unclear exactly how the FBI recovered the BTC from this cluster, the most likely explanation is that either the server recovered in Northern California contained the wallet password or private key, and/or that it was provided by a DarkSide Admin or Affiliate.
Bitcoin’s public ledger enables a level of transparency not available to crimes committed with cash, equities, real estate and the like. While DarkSide has reportedly gone offline, it is widely speculated that they are laying low in light of the Colonial Pipeline media attention and will likely emerge sometime in the future under a new name.