DarkSide, the group responsible for the cyber attack on Colonial Pipeline, reportedly received over $90 million in Bitcoin from 47 victims before being forced to shut down last week, according to blockchain analytics firm Elliptic.
Nearly 99 organisations were infected with the DarkSide malware, which could mean that nearly 47 per cent of victims paid a ransom to regain control of data, Elliptic said in a blog. The average payment per victim could have amounted to $1.9m, the company estimated.
“We can follow the ransom payments and see where the Bitcoins are being spent or exchanged. What we find is that the majority of the funds are being sent to crypto-asset exchanges, where they can be swapped for other crypto-assets or fiat currency,” said Tom Robinson, co-founder and chief scientist of Elliptic.
The majority of the crypto-asset exchanges comply with the anti-money laundering regulations and verify their customers’ identity, often flagging any suspicious activity. These exchanges also use blockchain analytics tools to check customer deposits for links to illicit activity such as ransomware.
“However, some jurisdictions do not enforce these regulations”, and DarkSide’s ransomware proceeds were sent to those exchanges, Mr Robinson said.
DarkSide, which made its first appearance in August, said it is shutting down due to "pressure" from the US government and after losing control over its operations and money.
It also ran an affiliate programme to help other hacker groups in their infiltration attempts. Ransom amounts paid by the victims are shared between DarkSide and its affiliate.
“The developer [DarkSide] reportedly takes 25 per cent for ransoms less than $500,000, but this decreases to 10 per cent for ransoms greater than $5m,” Mr Robinson said.
“This split of the ransom payment is very clear to see on the blockchain, with the different shares going to separate Bitcoin wallets controlled by the affiliate and developer. In total, the DarkSide developer has received Bitcoins worth $15.5m [17 per cent], with the remaining $74.7m [83 per cent] going to the various affiliates.”
DarkSide follows the ransomware-as-a-service model, meaning it sells or leases ransomware to others to carry out attacks.
The group also has a help desk to arrange negotiations with victims and to collect information about their targets.
Colonial paid about $5m to hackers on Friday to regain control of its systems, according to Bloomberg. In earlier reports, the company had said it did not plan to pay any ransom.