Colonial Hackers Bitcoin Wallet Tracked

Crystal Blockchain, a blockchain sleuthing company, claims to have discovered the bitcoin (BTC, -4.6 percent ) address used by DarkSide hackers to extract ransom from the Colonial Pipeline and has shared it with CoinDesk.

Unlike conventional finance, any transaction on public blockchains leaves a trail. This offers a unique window into the money-laundering activities of cybercriminals.

Colonial Pipeline halted operations for six days last week, causing a gas shortage crisis across the Southeast United States, after hackers believed to be located in Russia launched a cyberattack on the business, encrypting its data. Colonial Pipeline decided to pay the attackers 75 BTC (approximately $5 million) on May 8 and was able to restart operations shortly after.
Elliptic, a blockchain analytics company, said in a blog post last week that it had found DarkSide's wallet addresses but didn't reveal them. The address that obtained the ransom, according to Crystal Blockchain, a subsidiary of Bitfury, a security and infrastructure provider for the Bitcoin blockchain, is bc1q7eqww9dmm9p48hx5yz5gcvmncu65w43wfytpsf.

Connecting the dots: According to Kyryllo Chykhradze, product director at Crystal Blockchain, "there were some details that suggested this address was the one involved in collecting the ransom." “We were able to find the transactions in the blockchain because we knew the date of the transaction and the sum sent,” Chykhradze said. “We looked at each possible cluster (of addresses) and discovered further facts in one of them: a $4.4 million transaction, or 78 BTC, sent by Brenntag,” a chemical distribution firm.

Brenntag, another DarkSide survivor, paid a ransom on May 11, according to Bleeping Computer. The transaction was also listed by Elliptic as additional evidence pointing to the bitcoin addresses linked to the hackers. Elliptic and Crystal also pointed out that the cluster of addresses linked to hackers sent their last transaction on Thursday, the same day that DarkSide's servers were allegedly confiscated by unspecified authorities.

Bitcoin wallets are made up of groups of addresses, each with its own set of keys that are controlled by software. Blockchain analytics companies group together addresses on the blockchain into clusters and connect them with unique entities based on a set of laws. Clustering transaction inputs that are spent together is the most significant one.
DarkSide's cluster contained 30 addresses, which collectively earned 321.5 BTC after the first transaction on March 4, according to data from Crystal's blockchain analytic tool. All of those funds eventually left the cluster, with the majority of them going to the Binance cryptocurrency exchange (over 53.3 BTC, or 16 percent of all funds).

Going dark: The Hydra darknet marketplace, which obtained over 14.6 BTC from the DarkSide wallets, or 4.5 percent of its funds, is the second-largest recipient of funds. According to Chainalysis, Hydra is the world's largest illicit drug marketplace, operating mostly in Russia and Eastern Europe. Other illegal products available on the website include fake ID papers, counterfeit banknotes, and physical cash in exchange for bitcoin.

Other beneficiaries of the DarkSide funds include Ren and Zillion Bits, as well as the centralised trade Poloniex in the United States and Garantex in Estonia. Smaller quantities were also sent to Coinbase, Huobi, OKEx, Paxful, and LocalBitcoins, as well as other well-known major exchanges and peer-to-peer crypto marketplaces.

A small volume, less than half a BTC, ended up in the Wasabi wallet, which focuses on privacy.

The cluster's most recent transaction was on May 13, when it sent 107 BTC to a single unknown address that had only been active for one day and had already received three incoming transactions. That address still has the 107 BTC, which is worth over $4.5 million at today's price. The owner of the address is unknown.