DarkSide ransomware operators move 6.8M worth of Bitcoin after REvil shutdown

Darkside and BlackMatter ransomware operators have moved a large amount of their Bitcoin reserves after the recent shutdown of REvil’s infrastructure.

The gangs behind the Darkside and BlackMatter ransomware operations have moved 107 BTC ($6.8 million) after the news of the recent shutdown of REvil’s infrastructure by law enforcement agencies.

“The ransomware group REvil was itself hacked and forced offline this week by a multi-country operation, according to three private sector cyber experts working with the United States and one former official.” reported the Reuters agency.

Omri Segev Moyal, CEO and co-founder of security firm Profero, told TheRecord that the threat actors split the funds into multiple wallets. The gang is likely moving the funds to cache out its profits. Moyal shared his findings with law enforcement.

“Basically, since 2AM UTC whoever controlled the wallet started to break the BTC into small chunks,” Moyal told The Record. “At the time of this writing, the attackers split the funds into 7 wallets of 7-8 BTC and the rest (38BTC) is stored in the following wallet: bc1q9jy4pq5su9slh56gryydwkk0qjnqxvfwzm7xl6.”

Below the list of wallets shared by the expert:

15WpW77a5zuMYUENyW3tFAvovgjbURBNdc1FysrVjFC8y1exHiSXWfHxWwHqwDEmDGcT12WLsWxC12hDWRAPYdaVCKxu3u5atL9DFc1EPJax1dzPr79yCuGM3BxHNRhpKesYnM4Y122rgzWWjHypxz51XydiuRvzATqYvEFoAk1HjFQLdGP4DFJR1TgXk9WUiGFMoomMmyax1KMV2LUcTJ8KF2chY32ErMtGUWXvRvWfrC16hJwHm4c6M2A6CytimipRDVhUeXVD2QrB bc1q9jy4pq5su9slh56gryydwkk0qjnqxvfwzm7xl6 (current major holder wallet)

Dear #bitcoin exchange platform, please block the following wallets from the incoming transactions: https://t.co/NwNiIno5mX

Attackers have split the BTC into 7 wallets with what looks like preparation to convert to other exchange or cashout somehow.

— Omri Segev Moyal (@GelosSnake) October 22, 2021

In May, the Colonial Pipeline facility in Pelham, Alabama, was hit by a cybersecurity attack and its operators were forced to shut down its systems. The pipeline allows carrying 2.5 million barrels of refined gasoline and jet fuel each day up the East Coast from Texas to New York, it covers 45 percent of the East Coast’s fuel supplies.

The New York Times reported that Colonial Pipeline paid the hackers almost $5 million worth of cryptocurrency to receive a decryption key that allowed it to restore the encrypted files. Because the tool was too slow, the company used its backups to restore the systems.

In the aftermath of the attack, Darkside gang shut down its operations, fearing the response of law enforcement. The group also claimed that the feds seized part of its infrastructure and some wallets it was using for its operations.

In July the group rebranded its operation with the name BlackMatter.

Nevertheless, the gang re-launched in July with new infrastructure and under the new name of BlackMatter.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, REvil ransomware)

The post DarkSide ransomware operators move 6.8M worth of Bitcoin after REvil shutdown appeared first on Security Affairs.

Recent Posts
Contact Us

We're not around right now. But you can send us an email and we'll get back to you, asap.

Not readable? Change text. captcha txt