DarkSide Hackers' Bitcoin Stash Tracked

Blockchain sleuthing firm Crystal Blockchain says it has located the bitcoin address that DarkSide hackers used to collect ransom from the Colonial Pipeline and shared it with CoinDesk.

Unlike in traditional finance, with public blockchains every transaction leaves a trace. That provides rare visibility into the money movements of the cybercriminal world.

Last week, Colonial Pipeline halted operations for six days, prompting a gas shortage crisis across the Southeastern U.S., after hackers, believed to be based in Russia, hit it with a cyberattack, encrypting the company’s data. On May 8, Colonial Pipeline agreed to pay 75 BTC (or about $5 million) to the attackers and soon after was able to resume work.

Blockchain analytics firm Elliptic said in a blog post last week that it had identified DarkSide’s wallets addresses, but didn’t disclose the addresses themselves. According to Crystal Blockchain, a subsidiary of Bitfury, a security and infrastructure provider for the Bitcoin blockchain, the address that received the ransom is bc1q7eqww9dmm9p48hx5yz5gcvmncu65w43wfytpsf.

Connecting the dots

There were several facts that suggested this address was the one involved in collecting the ransom, Kyrylo Chykhradze, product director at Crystal Blockchain, told CoinDesk. “We found the transactions in the blockchain knowing the day of transaction and the amount sent,” Chykhradze said. “We analyzed each potential cluster (of addresses) and found additional evidence in one of them: a transaction of $4.4 million, or 78 BTC sent by Brenntag,” a chemical distribution company.

Brenntag, another victim of DarkSide, paid a ransom on May 11, Bleeping Computer reported. Elliptic also mentioned that transaction as additional evidence pointing at the bitcoin addresses associated with the hackers. Another piece of evidence pointed out by both Elliptic and Crystal: the cluster of addresses associated with hackers sent its last transaction last Thursday – the day when DarkSide reportedly got its servers seized by unspecified authorities.

Bitcoin wallets are constituted of clusters of addresses, whose keys are managed by specific software. Blockchain analytics firms combine separate addresses on the blockchain into clusters and associate them with certain entities using specific rules of thumb. The most important one is clustering transaction inputs that are spent together.

According to the data from Crystal’s blockchain analytic tool, DarkSide’s cluster included 30 addresses, which together received 321.5 BTC, since the first transaction on March 4. All those funds ultimately left the cluster, with the biggest amount sent to the Binance crypto exchange (over 53.3 BTC, or 16% of all funds).

Going dark

The second-largest receiver of funds is the Hydra darknet marketplace, which received over 14.6 BTC from the DarkSide wallets, or 4.5% of its funds. Hydra is the world’s biggest illegal narcotics marketplace, operating mostly in Russia and Eastern Europe, according to Chainalysis. The website also provides other illegal goods, including fake ID documents, counterfeit banknotes, as well as physical cash in exchange for bitcoin.

Other recipients of the DarkSide funds include little known exchanges named Ren, Zillion Bits, as well as the U.S.-based centralized exchange Poloniex and Estonia-based Garantex. Smaller amounts were also sent to other well-known major exchanges and peer-to-peer crypto marketplaces, including Coinbase, Huobi, OKEx, Paxful and LocalBitcoins.

A relatively small amount, less than half a BTC, ended up in the privacy-oriented Wasabi wallet.

The last transaction sent by the cluster occurred on May 13, when 107 BTC was sent to a single unknown address, which has only been active for one day and received three incoming transactions. The 107 BTC, worth over $4.5 million in Monday’s price, remains on that address. It’s unclear who controls the address.