This Is What Happens When Cyber Criminals Use Bitcoin: The DarkSide Saga

A point of contention non-coiners have regarding Bitcoin is its alleged use by cybercriminals. People use the leading cryptocurrency for nefarious purposes, that’s a fact. However, so is every other form of money known to man used. There’s a difference, though: The blockchain. It registers every Bitcoin transaction, forever. A point that the DarkSide saga illustrates beautifully.

As the story progresses, take this into account: the people behind DarkSide are top-of-the-line computer experts. We can assume that they took every precaution, took advantage of every tool, and covered their tracks. And they probably did it at an elite level no small-time cybercriminal could accomplish.

Related Reading | Security Incident: EasyFi to Compensate 100% of the Depositors Net Balances

What Is DarkSide?

To do this right, we have to quote the people in the know. According to reporter and computer security expert Brian Krebs:

First surfacing on Russian language hacking forums in August 2020, DarkSide is a ransomware-as-a-service platform that vetted cybercriminals can use to infect companies with ransomware and carry out negotiations and payments with victims. DarkSide says it targets only big companies, and forbids affiliates from dropping ransomware on organizations in several industries, including healthcare, funeral services, education, public sector and non-profits.

The Colonial Pipeline Hack

Every news outlet covered this incident. A report on CNBC describes it as:

Colonial Pipeline was hit with a devastating cyberattack earlier this month that forced the company to shut down approximately 5,500 miles of pipeline in the United States, crippling gas delivery systems in Southeastern states. The FBI blamed the attack on DarkSide

Cybersecurity experts Intel471 give us more detail:

DarkSide operators did not take responsibility for the Colonial Pipeline attack or publicly dump any data belonging to the company at the time of this report. However, on May 10, 2021, the group released an announcement alluding to its possible involvement in the attack. The operators pledged in the announcement that they will introduce “moderation” in the future by carefully checking each company DarkSide affiliates want to encrypt “to avoid social consequences in the future.”

BTC price chart on Coinbase | Source: BTC/USD on

The Counterattack 

The announcement seemed to be too little too late. A few days later, unnamed authorities seized DarkSide’s servers. And emptied their Bitcoin account. How did this happen? Nobody knows. Nevertheless, the group ímmediately announced their retirement.

The crime gang announced it was closing up shop after its servers were seized and someone drained the cryptocurrency from an account the group uses to pay affiliates.

“Servers were seized (country not named), money of advertisers and founders was transferred to an unknown account,” reads a message from a cybercrime forum reposted to the Russian OSINT Telegram channel.

Related Reading | This Ongoing Bitcoin Wallet Hack Has Stolen $22 Million In BTC

Where is DarkSide’s Bitcoin?

Proving once again that the blockchain is forever, London analytics firm Elliptic located DarkSide’s wallet in a matter of hours. CNBC reports:

In a blog post Tuesday, Elliptic said DarkSide and its affiliates bagged at least $90 million in bitcoin ransom payments over the past nine months from 47 victims. The average payment from organizations was likely $1.9 million.

Of course, most of that money wasn’t there. Remember that this was a ransomware-as-a-service platform. According to Elliptic, DarkSide affiliates’ accounts received most of the funds. When law enforcement seized it, it contained the $5.3M in Bitcoin, presumably from the last attack.

Hiding that Bitcoin 

As an epilogue, Intel471 informs us of one of the tools the hackers were using:

The operators will have to find a new way to “wash” the cryptocurrency they earn from ransoms. Intel 471 has observed that BitMix, a popular cryptocurrency mixing service used by Avaddon, DarkSide and REvil has allegedly ceased operations. Several apparent customers of the service reported they were unable to access BitMix in the last week.

So, maybe Bitcoin is not the best for cybercriminals? Having all of your transactions living forever in the blockchain seems like a huge inconvenience to us.

Featured Image by Nahel Abdul Hadi on Unsplash - Charts by TradingView