article featured image


It has been observed a recent activity associated with a wallet owned by the DarkSide ransomware gang. It seems that its operators want to cash out $7 million in Bitcoin by moving them into various wallets. The activity seems to have started on Thursday last week.

Bitcoin Moving: What Happened?

DarkSide gang has started to move their virtual assets on October 21, 2021, at 7:05 AM (GMT), according to Bleeping Computer publication. The initial amount in the operators’ wallet was worth up to approx. $7 million.

DarkSide gang cashes out bitcoin

Image Source

As Profero’s CEO and cofounder Omri Segev Moyal noticed on Friday in a Twitter post 107 bitcoins were moved out of the DarkSide’s wallet and directed to a new one.

Omri Segev Moyal Tweet picture

Image Source

Another report from the Elliptic company also showed that the group’s crypto has started a moving process, being transferred to different wallets. Amounts from 107.8 BTC to 38.1 BTC traveled through various wallets into an apparently money laundering process. This technique is not unknown, as it helps threat actors to make their Bitcoin untraceable and also to eventually make the conversion to fiat money. As the same researchers mention, it seems that threat actors already transferred some money amounts to exchanges.

These funds remained dormant until yesterday (October 21). Beginning at 7am GMT, the funds, now worth $7 million, were moved through a series of new wallets over the course of several hours, with small amounts being “peeled” off at each step. This is a common money laundering technique, used to attempt to make the funds more difficult to track and to aid their conversion into fiat currency through exchanges. The process is ongoing, but small amounts of the funds have already been sent to known exchanges.


Why Moving Bitcoins Now?

As the same publication mentions, this new activity of the DarkSide group seems to be associated with the fact the infrastructure of REvil ransomware was taken down, as this discovered that a third party managed to compromise their services, therefore they closed up operations for the second time this year.

This compromise happened after their popular attack on Kaseya, having the FBI after them and shutting down operations after. Then, when they wanted to start their operations again, they used the backups that were already known to the FBI.

The FBI Recovers Money from DarkSide

The last attack of the DarkSide ransomware group was directed towards Colonial Pipeline, the biggest US pipeline system. By the time the gang reached its last victims, the money they collected over months from their cyberattacks had been worth up to $90 million.

Since Colonial Pipeline it’s a very important petroleum products supplier for the U.S., this matter was considered a big priority for DOJ (the United States Department of Justice), so they started to treat it as a top priority. On the 7th of June, they were managing to recover 63.7 bitcoins out of the ransom amount the fuel company paid to the gang.

To continue its operation, DarkSide transformed into BlackMatter ransomware, starting to target in July corporate networks. The Recorded Future was describing the rebranded group at the time as combining DarkSide, REvil, and LockBit’s best qualities. BlackMatter managed to hit enterprises like Olympus, New Cooperative, or Marketron.

How to Stay Safe?

Ransomware is the most popular threat nowadays and you need to know how to prevent it before letting the disaster happen. With the best tools, you can do this. Use our Privileged Access Management solution to limit and control access of user rights, that automatically de-escalate rights when needed. Our Patch and Asset Management can help you be always up to date with software patches, as we all know that outdated software won’t do any good. And last, but not least, our Ransomware Encryption Protection will help to blow off the fear of data encryption. Give them a try!

If you enjoyed this article, you’ll surely enjoy other pieces of content too. To make sure you do not miss a thing follow us on LinkedInTwitterYouTubeFacebookand Instagram to keep up to date with everything we post!

Author Profile

Andra Andrioaie

Security Enthusiast

linkedin icon

Hi! My name is Andra and I am a passionate writer interested in a variety of topics. I am curious about the cybersecurity world and what I want to achieve through what I write is to keep you curious too!

Leave a Reply

Your email address will not be published. Required fields are marked *

Protect your business by doing more with less

Book a Demo