Hackers behind the Colonial Pipeline attack received $90 million in bitcoin before shutting down

May 19, 2021: According to new research, DarkSide, the hacker group behind the latest Colonial Pipeline ransomware attack, received an amount of $90 million in bitcoin ransom payments before shutting down in the last week.

Colonial Pipeline was hit with a devastating cyberattack this month that forced the company to shut down 5,500 miles of pipeline approximately, crippling gas delivery systems in southeastern states. The FBI blamed DarkSide, a cybercriminal gang from Eastern Europe, and Colonial paid a $5 million ransom to the group reportedly.

DarkSide operates a “ransomware as a service” business model, which means the hackers develop and market ransomware tools and sell them to the criminals who then carry out attacks.

Ransomware is a type of malicious software that’s designed to stop access to a computer system. Hackers demand a ransom payment in return for restoring access.

On Friday, blockchain analytics firm Elliptic, based in London, said it had identified the bitcoin wallet used by DarkSide to collect payments from its victims. That same day, security researchers Intel 471 said DarkSide had closed down after losing access to its servers and as its cryptocurrency wallets were emptied. DarkSide also blamed “pressure from the U.S.,” according to a note obtained by Intel 471.

In a new blog post-Tuesday, Elliptic said DarkSide and its affiliates bagged at least $90 million in bitcoin ransom payments originating from 47 different cryptocurrency wallets. The average price from organizations was likely $1.9 million, Elliptic said.

“To our knowledge, this analysis includes all payments made to DarkSide, however further transactions may yet be uncovered, and the figures here should be considered a lower bound,” said Tom Robinson Elliptic’s co-founder and chief scientist.

Elliptic said that DarkSide’s bitcoin wallet contained $5.3 million worth of the digital currency before its funds were drained last week. There was some speculation that the U.S. government had seized this bitcoin.

According to Elliptic, of the $90 million total haul, $15.5 million went to DarkSide’s developer while $74.7 million went to its affiliates. The majority of the funds are being sent to crypto exchanges, where they can be converted into fiat money, Elliptic said.

The Colonial Pipeline hack was one of a spate of ransomware attacks to generate headlines last week. A division of Japanese conglomerate Toshiba said its European unit had been hacked, blaming the attack on DarkSide, while a ransomware attack also hit Ireland’s health service. On Wednesday, President Joe Biden signed an executive order aimed at strengthening U.S. cybersecurity defenses.