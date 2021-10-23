$ 6.8 million worth of Bitcoin (BTC / USD) held by ransomware group DarkSide, which was involved in the Colonial Pipeline attack in May, is on the move, analytics firm Elliptic reported, cited by CoinDesk. The analyst associates the activity with another ransomware group: REvil, which is closely related to DarkSide.

Ransom was inactive until yesterday

After the attack on Colonial, which put the oil supplies of five US states at risk, DarkSide obtained around $ 5 million in ransom. Their participation did not change until October 21, Elliptic blogged on Friday. At first, the victim refused to pay, but eventually he did. According to insiders, his greatest wish was to restore functionality in the largest pipeline in the US.

Elliptic Identified DarkSide Wallet, Ransom Payments Keep Coming

DarkSide, which describes itself as a “ransomware-as-a-service” developer, kept a wallet for its share of the ransom. Elliptic identified it through blockchain transaction analysis and intelligence gathering. This wallet received the ransom on May 8 after the cyberattack, which caused fuel shortages nationwide.

This wallet has been active for over six months. In that time, he has received 57 payments from 21 different wallets. These include ransoms known to have been paid for by other victims of the group. DarkSide has received Bitcoin transactions worth $ 17.5 million in total since opening the wallet, Elliptic said.

DarkSide wallet allegedly claimed by REvil

DarkSide reported that an unknown third party had claimed his wallet. This party sent 107.8 BTC ($ 6.8 million USD) to a new address. This sum was sent over a period of a few hours through a series of new wallets, with small sums transferred at each step, making it difficult to track the funds.

US government forces REvil offline

Elliptic associates this activity with the REvil ransomware group, which was hacked and forced to go offline in a US government-led operation this week. According to VMWare’s head of cybersecurity strategy Tom Kellermann, intelligence and law enforcement personnel prevented the group from inflicting further damage:

The FBI, along with Cyber ​​Command, the Secret Service, and like-minded countries, have actually engaged in significant disruptive actions against these groups. REvil was the first on the list.

