Colonial Pipeline Ransomware Bad Guys Unmasked


Last week a huge portion of the Southeast U.S. found itself out of gas. Specifically, gasoline that makes cars go and airplanes fly.

Why? Because Colonial Pipeline, the largest pipeline system for refined oil products in the U.S, suffered a ransomware cyberattack that impacted computerized equipment managing the pipeline. Simply put – no money for hackers, no gas for you.

So by now most people probably know the perpetrator of this pipeline “stick up” was none other than the evil “DarkSide.” And Colonial Pipeline wasn’t alone. This cybercrime group has also had other recent ransomware victims as well. However, it appears “DarkSide” has been ratted out by blockchain analytics firm Elliptic. Yup, busted.

According to Dr. Tom Robinson, Elliptic’s Co-founder and Chief Scientist, Elliptic has identified the Bitcoin wallet used by “DarkSide.” That wallet was used by the ransomware group in order to receive ransom payments from its victims, including Colonial Pipeline.

This identified wallet received the 75 BTC payment made by Colonial Pipeline on May 8, following the crippling cyberattack on its operations – leading to widespread fuel shortages in the US. The Elliptic team noted:

“Our analysis shows that the wallet has been active since 4th March 2021 and has received 57 payments from 21 different wallets. Some of these payments directly match ransoms known to have been paid to DarkSide by other victims, such as 78.29 BTC (worth $4.4 million) sent by chemical distribution company Brenntag on May 11.”

In addition, Elliptic analysis shows that a previously unreported ransom payment for @ $320,000 was made to “DarkSide” on the 10th May. Those bitcoins originated from the same exchange used by Colonial Pipeline.

Apparently since March, this ‘evil doer’s’ wallet has received Bitcoin transactions with a total value of $17.5 million. Ransoms associated with previous attacks were paid to other wallets.

OK, so where, and how, is “Darkside” laundering all this illicit Bitcoin?

Elliptic noted that “by tracing previous outflows from the wallet, we can gain insights into how DarkSide and its affiliates were laundering their previous proceeds.” They learned that 18% of the Bitcoin was “sent to a small group of exchanges.”

And, straight out of a Marvel Studios series, the crime syndicate HYDRA pops up. It’s aking to a service provider. Again, Elliptic:

“An additional 4% has been sent to Hydra, the world’s largest darknet marketplace, servicing customers in Russia and neighboring countries. As we revealed in previous research, Hydra offers cash-out services alongside narcotics, hacking tools and fake IDs. These allow Bitcoin to be converted into gift vouchers, prepaid debit cards or cash Rubles. If you’re a Russian cybercriminal and you want to cash-out your crypto, then Hydra is an attractive option.”

So that’s how its done (my note: there is no basis to the rumor JP Morgan may acquire HYDRA – too small for them). You may have noticed that a huge portion of the ransom is “unaccounted” for. Speculation has it that it was seized by the US government but Elliptic noted that most of the Bitcoin was moved earlier. Where? Only the shadows know.