[TheRecord] DarkSide ransomware gang moves some of its Bitcoin after REvil got hit by law enforcement

The operators of the Darkside and BlackMatter ransomware strains have moved a large chunk of their Bitcoin reserves after news broke that fellow ransomware gang REvil had its servers taken over by a coalition of law enforcement agencies.

Approximately 107 BTC ($6.8 million) were moved earlier today, according to Omri Segev Moyal, CEO and co-founder of security firm Profero.

“Basically, since 2AM UTC whoever controlled the wallet started to break the BTC into small chunks,” Moyal told The Record.

“At the time of this writing, the attackers split the funds into 7 wallets of 7-8 BTC and the rest (38BTC) is stored in the following wallet: bc1q9jy4pq5su9slh56gryydwkk0qjnqxvfwzm7xl6.”

Image: Omri Segev Moyal

Moyal said he believed the funds were still controlled by the Darkside/BlackMatter gang and were being prepared to be laundered or cashed out.

He said that law enforcement agencies typically move seized assets to a new wallet under their control and wouldn’t need to break the funds into smaller chunks, a step typical in money laundering operations.

Darkside moves $6.8 million, fearing a repeat

The funds were moved roughly six hours after Reuters reported that a coalition of law enforcement agencies from several countries was responsible for hijacking the servers of fellow ransomware group REvil over the weekend.

The Darkside group’s quick reaction to move funds and re-asses control is justifiable in light of the gang’s history and past attacks.

Darkside was the ransomware strain used in the incident that crippled the operations of Colonial Pipeline in May, an attack that indirectly caused fuel supply outages across the US East Coast.

In light of the attack and its political repercussions, the Darkside gang shut down its operations a week later. At the time, the gang claimed they shut down after they lost control over some servers and some cryptocurrency wallets (money).

Nevertheless, the gang re-launched in July with new infrastructure and under the new name of BlackMatter.

Moving some of its funds shortly after the REvil takedown news makes sense since the gang would like to make sure they don’t lose funds for a second time, during another law enforcement crackdown.

Moyal has now notified and asked cryptocurrency exchanges to block the Darkside/BlackMatter wallets holding their new funds, but the fractured cryptocurrency exchange landscape still leaves many ways for the group to launder its profits.

Dear #bitcoin exchange platform, please block the following wallets from the incoming transactions: https://t.co/NwNiIno5mX

Attackers have split the BTC into 7 wallets with what looks like preparation to convert to other exchange or cashout somehow.

— Omri Segev Moyal (@GelosSnake) October 22, 2021

The post DarkSide ransomware gang moves some of its Bitcoin after REvil got hit by law enforcement appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[ThreatPost] APT41 Spies Broke Into 6 US State Networks via a Livestock App

All posts, ThreatPost

The China-affiliated state-sponsored threat actor used Log4j and zero-day bugs in the USAHerds animal-tracking software to hack into multiple government networks. Source: Read More (Threatpost)

Read More

[SecurityWeek] NewsBlur Restores Service After Hacker Wipes Database

All posts, Security Week

Personal news reader NewsBlur was down for several hours last week after a hacker managed to wipe the service’s database. The hacker was able to gain access to the database while the RSS reader was being transitioned to Docker, which circumvented some firewall rules and opened the NewsBlur MongoDB database to the public. read more […]

Read More

[SecurityWeek] 1Password Raises Mammoth $620 Million Funding Round

All posts, Security Week

Investors continue to pour cash into Canadian password management software vendor 1Password, pushing the company’s valuation to $6.8 billion. read more Source: Read More (SecurityWeek RSS Feed)

Read More