DarkSide's Bitcoin Activity Shows $90 Million Made in Eight Months

As parts of the country are still feeling the effects of the Colonial Pipeline shutdown, details continue to emerge about the group behind the ransomware attack. DarkSide, a hacking group believed to be in Russia, hit the largest oil and gas pipeline in the U.S. The hack caused a shutdown for days and cut off vital resources to Americans from the Gulf Coast to New York.

Now that the dust has settled, more information continues to pour in about the group behind the attack, its compensation, and how investigators are going about holding those responsible accountable. 

Stretching from the Gulf Coast of Texas to New York Harbor, the Colonial Pipeline provides gasoline, natural gas, and oil to the South and East Coast of the U.S. As a result of the ransomware attack that shut down Colonial Pipeline’s servers, most of the country was starved of necessary resources to fuel vehicles and heat homes.

Colonial shut the pipeline down to contain the damage and prevent DarkSide from taking control of the pipeline. After the attack was contained, the company cautioned that it would take several days for operations to return to normal.

Fuel shortages were seen across most of the eastern U.S., with nearly 90 percent of the gas stations in the nation’s capital running empty. At one point, 45 percent of the gas stations were out in Virginia, while 39 percent of Maryland’s gas stations were dry. About 65 percent of the gas stations were without gas in North Carolina, while nearly half of them were out in Georgia and South Carolina. By May 17, the situation was improving, with 1,672 stations resupplied—twice the amount that was operational on May 16.

In a report released on May 18 by Elliptic, a company that monitors activity on Bitcoin’s blockchain, the company says it uncovered 47 cryptocurrency wallets that DarkSide used to receive payments from victims. In total, the wallets received over $90 million in Bitcoin over eight months, with the group raking in over $20 million in February alone.

On May 8, Colonial Pipeline agreed to pay 75 BTC—about $5 million—to DarkSide to resume work. On average, victims have paid $1.9 million to the group to free themselves from these ransomware attacks.

Elliptic claims that it has identified the crypto wallet that DarkSide used to receive a ransom payment from Colonial Pipeline. Elliptic said that it relied on its blockchain analytics technology and on “open source intelligence” to locate and identify the crypto wallets used by DarkSide. When a ransomware attack occurs, a note is sent to the victim, including the hacker’s cryptocurrency wallet. A wallet can reveal other wallets the hacker uses to facilitate money laundering activities.

However, tracking down the individuals behind the attacks might be more difficult. That’s because DarkSide likely only took a 10 percent to 25 percent cut from each attack. The group’s ransomware operation could be rented out to other cybercriminals or affiliates. Also, DarkSide has been using unregulated cryptocurrency exchanges to cash out its Bitcoin plunder.