{ "id": "dc929ea0-da29-4239-9c04-c5bc73091478", "created_at": "2026-04-06T00:08:46.503147Z", "updated_at": "2026-04-10T03:20:03.472418Z", "deleted_at": null, "sha1_hash": "005ccbab4b04b0125f8b67ea47b5f66b5beea480", "title": "DarkSide Bitcoins on the move following government cyberattack against REvil ransomware group", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 36275, "plain_text": "DarkSide Bitcoins on the move following government cyberattack\r\nagainst REvil ransomware group\r\nBy Elliptic Intel\r\nArchived: 2026-04-05 12:45:20 UTC\r\n$7 million in Bitcoin held by the DarkSide ransomware group is on the move, five months after the attack on\r\nColonial Pipeline that crippled fuel supplies along the US east coast. These funds had remained dormant since the\r\ngroup shut down on May 13th.\r\nDarkSide received just over $90 million in Bitcoin ransom payments from around 50 victims, before shutting\r\ndown shortly after the Colonial Pipeline attack. The following month US authorities seized 63.7 Bitcoins that\r\nmade up the affiliate’s share of the 75 BTC Colonial Pipeline ransom payment. \r\nDarkSide is an example of “ransomware as a service” (RaaS). In this operating model, the malware is created by\r\nthe ransomware developer, while the ransomware affiliate is responsible for infecting the target computer system\r\nand negotiating the ransom payment with the victim organization.\r\nThe DarkSide developer maintained a wallet to hold its share of the ransom payments — including 11.3 Bitcoins\r\nfrom the Colonial payment. On May 13th, DarkSide claimed that its infrastructure, including the wallet, had been\r\nseized by an unknown third party. On the same day the wallet was emptied, with 107.8 Bitcoins (then worth $5.3\r\nmillion) being sent to a new bitcoin address.\r\nThese funds remained dormant until yesterday (October 21th). Beginning at 7:00am GMT, the funds, now worth\r\n$7 million, were moved through a series of new wallets over the course of several hours, with small amounts\r\nbeing “peeled” off at each step.\r\nThis is a common money laundering technique, used to attempt to make the funds more difficult to track and to\r\naid their conversion into fiat currency through exchanges. The process is ongoing, but small amounts of the funds\r\nhave already been sent to known exchanges.\r\nThe movement of the dormant DarkSide funds comes on the same day that it was reported that the REvil\r\nransomware group had been hacked and forced online in a government-led operation. DarkSide has been strongly\r\nlinked to REvil, with the ransomware groups sharing similarly structured ransom notes and using the same code.\r\nElliptic’s clients, including financial institutions and cryptocurrency exchanges can be alerted to any client\r\ndeposits that originate from the DarkSide wallet, by using our transaction and wallet screening solutions.\r\nhttps://www.elliptic.co/blog/darkside-bitcoins-on-the-move-following-government-cyberattack-against-revil-ransomware-group\r\nPage 1 of 2\n\nSource: https://www.elliptic.co/blog/darkside-bitcoins-on-the-move-following-government-cyberattack-against-revil-ransomware-group\r\nhttps://www.elliptic.co/blog/darkside-bitcoins-on-the-move-following-government-cyberattack-against-revil-ransomware-group\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.elliptic.co/blog/darkside-bitcoins-on-the-move-following-government-cyberattack-against-revil-ransomware-group" ], "report_names": [ "darkside-bitcoins-on-the-move-following-government-cyberattack-against-revil-ransomware-group" ], "threat_actors": [], "ts_created_at": 1775434126, "ts_updated_at": 1775791203, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/005ccbab4b04b0125f8b67ea47b5f66b5beea480.pdf", "text": "https://archive.orkl.eu/005ccbab4b04b0125f8b67ea47b5f66b5beea480.txt", "img": "https://archive.orkl.eu/005ccbab4b04b0125f8b67ea47b5f66b5beea480.jpg" } }