{
	"id": "4c8db2fa-3460-438b-a2f9-886b9242129e",
	"created_at": "2026-04-06T00:06:55.886672Z",
	"updated_at": "2026-04-10T03:19:55.374291Z",
	"deleted_at": null,
	"sha1_hash": "595b5d7bcc81a6495cc73f51997c5fed1b054d5f",
	"title": "DarkSide ransomware gang moves some of its Bitcoin after REvil got hit by law enforcement",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 110342,
	"plain_text": "DarkSide ransomware gang moves some of its Bitcoin after REvil\r\ngot hit by law enforcement\r\nBy Catalin Cimpanu\r\nPublished: 2022-12-18 · Archived: 2026-04-05 22:55:04 UTC\r\nThe operators of the Darkside and BlackMatter ransomware strains have moved a large chunk of their Bitcoin\r\nreserves after news broke that fellow ransomware gang REvil had its servers taken over by a coalition of law\r\nenforcement agencies.\r\nApproximately 107 BTC ($6.8 million) were moved earlier today, according to Omri Segev Moyal, CEO and co-founder of security firm Profero.\r\n\"Basically, since 2AM UTC whoever controlled the wallet started to break the BTC into small chunks,\" Moyal\r\ntold The Record.\r\n\"At the time of this writing, the attackers split the funds into 7 wallets of 7-8 BTC and the rest (38BTC) is stored\r\nin the following wallet: bc1q9jy4pq5su9slh56gryydwkk0qjnqxvfwzm7xl6.\"\r\nMoyal said he believed the funds were still controlled by the Darkside/BlackMatter gang and were being prepared\r\nto be laundered or cashed out.\r\nHe said that law enforcement agencies typically move seized assets to a new wallet under their control and\r\nwouldn't need to break the funds into smaller chunks, a step typical in money laundering operations.\r\nDarkside moves $6.8 million, fearing a repeat\r\nThe funds were moved roughly six hours after Reuters reported that a coalition of law enforcement agencies from\r\nseveral countries was responsible for hijacking the servers of fellow ransomware group REvil over the weekend.\r\nThe Darkside group's quick reaction to move funds and re-asses control is justifiable in light of the gang's history\r\nand past attacks.\r\nDarkside was the ransomware strain used in the incident that crippled the operations of Colonial Pipeline in May,\r\nan attack that indirectly caused fuel supply outages across the US East Coast.\r\nhttps://therecord.media/darkside-ransomware-gang-moves-some-of-its-bitcoin-after-revil-got-hit-by-law-enforcement/\r\nPage 1 of 3\n\nIn light of the attack and its political repercussions, the Darkside gang shut down its operations a week later. At\r\nthe time, the gang claimed they shut down after they lost control over some servers and some cryptocurrency\r\nwallets (money).\r\nNevertheless, the gang re-launched in July with new infrastructure and under the new name of BlackMatter.\r\nMoving some of its funds shortly after the REvil takedown news makes sense since the gang would like to make\r\nsure they don't lose funds for a second time, during another law enforcement crackdown. Furthermore, the gang\r\nwas most likely spooked already after the US government published a security advisory about its activities four\r\ndays before.\r\nMoyal has now notified and asked cryptocurrency exchanges to block the Darkside/BlackMatter wallets holding\r\ntheir new funds, but the fractured cryptocurrency exchange landscape still leaves many ways for the group to\r\nlaunder its profits.\r\nDear #bitcoin exchange platform, please block the following wallets from the incoming transactions:\r\nhttps://t.co/NwNiIno5mX\r\nAttackers have split the BTC into 7 wallets with what looks like preparation to convert to other\r\nexchange or cashout somehow.\r\n— Omri Segev Moyal (@GelosSnake) October 22, 2021\r\nNo previous article\r\nNo new articles\r\nhttps://therecord.media/darkside-ransomware-gang-moves-some-of-its-bitcoin-after-revil-got-hit-by-law-enforcement/\r\nPage 2 of 3\n\nCatalin Cimpanu\r\nis a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement\r\nactions against hackers.\r\nSource: https://therecord.media/darkside-ransomware-gang-moves-some-of-its-bitcoin-after-revil-got-hit-by-law-enforcement/\r\nhttps://therecord.media/darkside-ransomware-gang-moves-some-of-its-bitcoin-after-revil-got-hit-by-law-enforcement/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://therecord.media/darkside-ransomware-gang-moves-some-of-its-bitcoin-after-revil-got-hit-by-law-enforcement/"
	],
	"report_names": [
		"darkside-ransomware-gang-moves-some-of-its-bitcoin-after-revil-got-hit-by-law-enforcement"
	],
	"threat_actors": [],
	"ts_created_at": 1775434015,
	"ts_updated_at": 1775791195,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/595b5d7bcc81a6495cc73f51997c5fed1b054d5f.pdf",
		"text": "https://archive.orkl.eu/595b5d7bcc81a6495cc73f51997c5fed1b054d5f.txt",
		"img": "https://archive.orkl.eu/595b5d7bcc81a6495cc73f51997c5fed1b054d5f.jpg"
	}
}