{
	"id": "ce251433-c86e-4666-82c5-f9768ee5e68b",
	"created_at": "2026-04-06T00:19:44.591898Z",
	"updated_at": "2026-04-10T03:22:13.621178Z",
	"deleted_at": null,
	"sha1_hash": "0332f05ada92c6cc2f5debf13d8c213e855e72bd",
	"title": "DarkSide ransomware rushes to cash out $7 million in Bitcoin",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1654564,
	"plain_text": "DarkSide ransomware rushes to cash out $7 million in Bitcoin\r\nBy Ionut Ilascu\r\nPublished: 2021-10-22 · Archived: 2026-04-05 16:37:15 UTC\r\nAlmost $7 million worth of Bitcoin in a wallet controlled by DarkSide ransomware operators has been moved in what looks\r\nlike a money laundering rollercoaster.\r\nThe funds have been moving to multiple new wallets since yesterday, a smaller amount being transferred with each\r\ntransaction to make the money more difficult to track.\r\nThe timing aligns with the takedown of REvil ransomware infrastructure after hijacking the gang's Tor hidden service as a\r\nresult of an international law enforcement operation.\r\nhttps://www.bleepingcomputer.com/news/security/darkside-ransomware-rushes-to-cash-out-7-million-in-bitcoin/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/darkside-ransomware-rushes-to-cash-out-7-million-in-bitcoin/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nThe money laundering flow\r\nThe DarkSide ransomware gang has extorted dozens of victims of tens of millions of U.S. dollars, their most famous attack\r\nbeing on May 7, against the largest fuel pipeline in the United States, Colonial Pipeline.\r\nOmri Segev Moyal, the CEO and co-founder of cybersecurity company Profero, tweeted today that 107 bitcoins from a\r\nDarkSide wallet were moved to a new wallet.\r\nLooking at the transaction hash, the move started on October 21, 2021, at 7:05 AM (GMT) and the initial value was a little\r\nunder $7 million.\r\nIn a blog post today, blockchain analysis company Elliptic shows how DarkSide's cryptocurrency flowed through different\r\nwallets, shrinking from 107.8 BTC to 38.1 BTC.\r\nhttps://www.bleepingcomputer.com/news/security/darkside-ransomware-rushes-to-cash-out-7-million-in-bitcoin/\r\nPage 3 of 5\n\nThe money-laundering process\r\nMoving the funds this way is a typical money laundering technique that hinders tracing and helps cybercriminals convert the\r\ncryptocurrency to fiat money.\r\nElliptic says that the process continues still and that small amounts of the money have already been transferred to known\r\nexchanges.\r\nMoving the money at this time may be a result of what happened to the REvil ransomware operation, which shut down for a\r\nsecond time this year after finding that its services had been compromised by a third-party.\r\nThe hacking occurred after REvil attacked the Kaseya MSP platform that served more than 1,000 companies across the\r\nglobe. While the FBI was on the verge of disrupting REvil, the cybercriminals shut down their operation.\r\nWhen REvil restarted its business, they restored from the backups that had been infiltrated by the FBI before the gang closed\r\nshop.\r\nDarkSide money recovered by the FBI\r\nDarkSide's attack on Colonial Pipeline was the last one from DarkSide under this name. Until then, the ransomware gang\r\nhad collected at least $90 million from its victims.\r\nHowever, they chose their last target poorly, since its operations supplied petroleum products to markets and refineries on\r\nthe U.S. East Coast accounting for 45% of all fuel consumed in the region.\r\nEven if Colonial Pipeline paid the 75 BTC (around $5 million at the time) ransom, the consequences of the attack were too\r\nmuch for the DoJ not to treat it with top priority.\r\nOn June 7, the DoJ announced that it recovered 63.7 bitcoins of the ransom Colonial Pipeline paid to DarkSide to recover\r\ntheir systems as fast as possible. \r\nDarkSide then exited the ransomware business only to emerge as BlackMatter. In July, the rebranded threat actor was\r\nlooking to buy access to corporate networks.\r\nRecorded Future announced at the time BlackMatter saying that it \"incorporated in itself the best features of DarkSide,\r\nREvil, and LockBit.\"\r\nUnder the new name, the ransomware actors continued to hit large companies such as medical technology giant Olympus,\r\nthe New Cooperative farmers organization in the U.S., or Marketron provider of marketing services.\r\nIn a joint advisory released recently, CISA, the FBI, and the NSA provide mitigation information that can help organizations\r\ndefend against BlackMatter ransomware attacks.\r\nhttps://www.bleepingcomputer.com/news/security/darkside-ransomware-rushes-to-cash-out-7-million-in-bitcoin/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/darkside-ransomware-rushes-to-cash-out-7-million-in-bitcoin/\r\nhttps://www.bleepingcomputer.com/news/security/darkside-ransomware-rushes-to-cash-out-7-million-in-bitcoin/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/darkside-ransomware-rushes-to-cash-out-7-million-in-bitcoin/"
	],
	"report_names": [
		"darkside-ransomware-rushes-to-cash-out-7-million-in-bitcoin"
	],
	"threat_actors": [],
	"ts_created_at": 1775434784,
	"ts_updated_at": 1775791333,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0332f05ada92c6cc2f5debf13d8c213e855e72bd.pdf",
		"text": "https://archive.orkl.eu/0332f05ada92c6cc2f5debf13d8c213e855e72bd.txt",
		"img": "https://archive.orkl.eu/0332f05ada92c6cc2f5debf13d8c213e855e72bd.jpg"
	}
}