The group of malicious hackers DarkSide, which hijacked a major oil pipeline in the United States with a ransomware attack, would have moved their funds before the alleged confiscation of their wallets and servers.

According to various reports, DarkSide would have lost access to the servers of its affiliate program and with this, its cryptocurrencies. From this affiliate service, DarkSide rewarded other users to use its ransomware against other victims around the world.

But the firm Elliptic assures that DarkSide would have moved a large part of the payments received by the Colonial Pipeline Co company before the alleged confiscation.

The operator of the pipeline would have paid about $ 5 million in BTC to hackers to get rid of the ransomware, reported The Wall Street Journal last Wednesday.

DarkSide would have announced on the Internet that it had lost access to part of its servers and the cryptocurrencies that were hosted on it.

However, there is no confirmation of this order of events from official sources, so could be a false news spread by hackers to cover up or to scam potential debtors among their collaborators ..

to their servers and the cryptocurrencies they have fraudulently obtained with their ransomware attacks. Composition by CriptoNoticias Sources: geralt-9301 / pixabay.com; pngegg.com.

According to the security expert Dmitry Smilyanets , reports the site The Record, DarkSide recognized in forums and other publications on the Internet have lost access to part of their server infrastructure.

The media also refers to another message published on the Telegram channel Russian OSINT, where the attackers also acknowledge that the cryptocurrencies hosted on these servers were confiscated .

The country of location of these servers was not disclosed, but DarkSide claims that the provider or host company, would have yielded to the authorities and security forces that are following the case internationally. “After a few hours, the payment server funds were withdrawn to an unknown direction,” they say.

According to US media reports, President Joe Biden this week urged President Vladimir Putin to will seek a way to interrupt the operations of hackers in the countries where they operate and bordering Russia.

On the trail of Colonial Pipeline’s BTC

Blockchain analytics firm Elliptic identified the portfolio address where the DarkSide group received payment from Colonial Pipeline. In total there were 75 BTC that DarkSide received from the Colonial Pipeline company, on May 8, 2021, they assure in a publication.

In addition to the Colonial payment, the wallet would have received 57 payments from 21 different wallets , some of which coincide with ransomware cases where the victims are known to have paid. One of these payments, of 78.29 BTC (USD 3,871,000), was sent by a chemical distribution company, Brentagg, on May 11.

Both payments, the Colonial Pipeline and the Brentagg company, were sent to the same Bitcoin address, says Elliptic. This would be indicative that the author of these ransomware attacks is the same actor.

In addition, Elliptic claims that all the Colonial Pipeline BTC could not have been seized by the authorities , as these were moved to another direction under the control of hackers, according to their analysis. Elliptic has not disclosed the Bitcoin addresses in question .

Change of attitude: from bad actors to “ethical” criminals

The seizure of DarkSide funds and some government pressure would have led to a change in the policies and ethics of the malicious activity that certain hackers carry out.

Presumably, DarkSide would be publishing tools to decrypt the data of companies and entities affected by their ransomware, perhaps to redeem themselves publicly.

Another group known as REvil, an organization that provides a homonymous ransomware, said that its affiliate service would also have new restrictions, according to The Record.

For example, REvil now prohibits its affiliates from attacking entities of the «sect or social ”, such as hospitals and educational institutions , as well as government entities in any country. Affiliates should have approval before committing the attack.

Intel 471 firm, which investigates this new stance taken by various hacker organizations, thinks that the seriousness of the attack on the US pipeline, which has already been unlocked, and the media coverage of the case, could be too much pressure even for anonymous hackers .

As we reported in CriptoNoticias, the attack severely affected the distribution of fuel on the east coast of the United States and the attackers asked for an undisclosed amount in monero (XMR) or bitcoin (BTC). The Colonial Pipeline company is responsible for transporting and distributing 45% of all fuel production in the country , through its network of oil and gas pipelines.

However, based on previous cases, Intel 471 believes that hackers could broadcast these announcements to calm the waters. After the storm, could resume attacks with other techniques , or by forming new malicious organizations with different names to disguise themselves.

Notably, Intel 471 claims that a cryptocurrency mixing service called BitMix , popular with hacker groups Avaddon, DarkSide, and REvil, would have stopped working. Therefore, they say «operators will have to find new ways to ‘launder’ the cryptocurrencies they get from their extortions ( ransoms ) «.

As we reported in CriptoNoticias, the attacks of ransomware already have obtained more money from their victims than in all of 2020 . Financial losses amount to almost $ 2 million, but only 8% of companies that pay hackers get all their data back, according to Sophos.

The post US Pipeline Hijacker Withdrawn Most Of His Bitcoins Before Seizure appeared first on World Weekly News.