The US Department of Justice and the FBI today announced that they had seized 63.7 BTC of the 75 BTC ransom paid to DarkSide by Colonial Pipeline. Elliptic’s analysis shows that this represents the bulk of the affiliate’s share of the ransom.
DarkSide is an example of “Ransomware as a Service” (RaaS). In this operating model, the malware is created by the ransomware developer, while the ransomware affiliate is responsible for infecting the target computer system and negotiating the ransom payment with the victim organisation. This new business model has revolutionised ransomware, opening it up to those who do not have the technical capability to create malware, but are willing and able to infiltrate a target organisation.
Any ransom payment made by a victim is then split between the affiliate and the developer. In the case of the Colonial Pipeline ransom payment, 85% (63.75 BTC) went to the affiliate and 15% went to the DarkSide developer.
It appears to be the majority of the affiliate’s share of this ransom – 63.7 BTC – that has been seized by US authorities today. Using blockchain analysis we can trace the affiliate’s share of the Colonial ransom transaction (previously identified by Elliptic) to the Bitcoin address bc1qq2euq8pw950klpjcawuy4uj39ym43hs6cfsegq – the same address mentioned in the seizure affidavit:
This address was emptied at around 1.40pm (Eastern Time) on June 7th – presumably by US authorities. (There was also the movement of an additional 5.9 BTC not mentioned in the affidavit).
This action by US authorities demonstrates the value of blockchain analytics to track down proceeds of crime in cryptocurrency, and ensure that ransomware does not pay for the criminals behind it.