{
	"id": "c0b1ae1c-fb92-42f8-90c3-2e91d9d66df8",
	"created_at": "2026-04-06T00:08:56.150871Z",
	"updated_at": "2026-04-10T03:20:39.809536Z",
	"deleted_at": null,
	"sha1_hash": "779eb2388be2f1f3309d91d8528f6bbf8b81870e",
	"title": "Darkside ransomware gang says it lost control of its servers \u0026 money a day after Biden threat",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 151812,
	"plain_text": "Darkside ransomware gang says it lost control of its servers \u0026\r\nmoney a day after Biden threat\r\nBy Catalin Cimpanu\r\nPublished: 2022-12-14 · Archived: 2026-04-05 14:52:12 UTC\r\nA day after US President Joe Biden said the US plans to disrupt the hackers behind the Colonial Pipeline\r\ncyberattack, the operator of the Darkside ransomware said the group lost control of its web servers and some of\r\nthe funds it made from ransom payments.\r\n\"A few hours ago, we lost access to the public part of our infrastructure, namely: Blog. Payment server. CDN\r\nservers,\" said Darksupp, the operator of the Darkside ransomware, in a post spotted by Recorded Future threat\r\nintelligence analyst Dmitry Smilyanets.\r\n\"Now these servers are unavailable via SSH, and the hosting panels are blocked,\" said the Darkside operator while\r\nalso complaining that the web hosting provider refused to cooperate.\r\nIn addition, the Darkside operator also reported that cryptocurrency funds were also withdrawn from the gang's\r\npayment server, which was hosting ransom payments made by victims.\r\nThe funds, which the Darkside gang was supposed to split between itself and its affiliates (the threat actors who\r\nbreach networks and deploy the ransomware), were transferred to an unknown wallet, Darksupp said.\r\nTakedown?\r\nThis sudden development comes after US authorities announced their intention to go after the gang.\r\nIn two conferences this week, on Monday and Thursday, US President Biden himself came out and said the US\r\nwould go after the group after one of its attacks crippled a major fuel transport pipeline that impacted half of the\r\nUS East Coast, leading the US to declare a state of national emergency in order to ensure gasoline was delivered\r\nto impacted regions.\r\n\"We have been in direct communication with Moscow about the imperative for responsible countries to take\r\ndecisive action against these ransomware networks,\" President Biden said in a press conference on Thursday.\r\n\"We are also going to pursue a measure to disrupt their ability to operate,\" he added [see video below].\r\nPres. Biden on Colonial Pipeline hack: \"We do not believe the Russian government was involved in this\r\nattack—but we do have strong reason to believe that the criminals who did the attack are living in\r\nRussia.\" https://t.co/CAHmsNFmcf pic.twitter.com/ex8AfuwIPX\r\n— ABC News (@ABC) May 13, 2021\r\nhttps://therecord.media/darkside-ransomware-gang-says-it-lost-control-of-its-servers-money-a-day-after-biden-threat/\r\nPage 1 of 4\n\nPresident Biden's statement also came after Bill Evanina, former Director of the US National Counterintelligence\r\nand Security Center (NCSC), also said last week that the US intelligence community was very likely respond to\r\nrespond to the brazen Colonial attack in a disruptive manner.\r\nDarkside attribution is a good move by the FBI. I fully expect Darkside to shortly experience the full\r\nextent of IC and DoD precision tactical deterrent capabilities. https://t.co/YsHFi0h2TY\r\n— William Evanina (@BillEvanina) May 10, 2021\r\nOr exit scam?\r\nBut Smilyanets warns that the group's announcement could also be a ruse, as no announcement has yet been made\r\nby US officials.\r\nThe group could be taking advantage of President Biden's statements as cover to shut down its infrastructure and\r\nrun away with its affiliate's money without paying their cuts—a tactic known as an \"exit scam\" on the\r\ncybercriminal underground.\r\nAccording to #REvil #ransomware operator Unknown (possible false flag), #DarkSide - No More.\r\nServers are seized. Money is gone\r\n— (@ddd1ms) May 14, 2021\r\nReached out for comment, a spokesperson for the Justice Department said the department does not comment on\r\nactive investigations and could not confirm a coordinated action from any US entity.\r\nREvil and Avaddon gangs announce changes too\r\nBut it's been a busy past 24 hours for ransomware gangs.\r\nThe news that Darkside lost control of its servers and that a major cybercrime forum was banning ransomware\r\nads, all happening within a span of hours of each other, also had an effect on REvil, arguably considered today's\r\nbiggest ransomware operation.\r\nIn a post quoting Darkside's (now-deleted) statement, REvil spokesperson Unknown made an announcement of\r\ntheir own and said they also plan to stop advertising their Ransomware-as-a-Service platform and \"go private\"—a\r\nterm used by cybercrime gangs to describe their intention to work with a small group of known and trusted\r\ncollaborators only.\r\nAdditionally, the REvil group also said that it plans to stop attacking sensitive social sectors like healthcare,\r\neducational institutes, and the government networks of any country, which it believes could draw unwanted\r\nattention to its operation, such as the attention Darkside is getting right now.\r\nIn the case of any of such attacks carried out by any of its collaborators, REvil said they plan to provide a free\r\ndecryption key to victims and stop working with the misbehaving affiliate.\r\nhttps://therecord.media/darkside-ransomware-gang-says-it-lost-control-of-its-servers-money-a-day-after-biden-threat/\r\nPage 2 of 4\n\nImage: Recorded Future\r\nFurthermore, hours after REvil's announcement, the operators of the Avaddon ransomware also announced similar\r\nupdates to their program, with the same clause barring ransomware groups from attacking government entities,\r\nhealthcare orgs, and educational institutes.\r\nWhile we may never know who or what is driving these changes among ransomware gangs, it is pretty clear that\r\nthe Colonial Pipeline attack and its aftermath appears to have broken the camel's back, and US authorities have\r\nstarted applying some sort of pressure on these groups.\r\n@ddd1ms \u0026 @campuscodi Some change is happening.... @Raj_Samani @ChristiaanBeek\r\n@McAfee_Labs pic.twitter.com/SIgNW3V2Df\r\n— John Fokker (@John_Fokker) May 14, 2021\r\nNo previous article\r\nNo new articles\r\nhttps://therecord.media/darkside-ransomware-gang-says-it-lost-control-of-its-servers-money-a-day-after-biden-threat/\r\nPage 3 of 4\n\nCatalin Cimpanu\r\nis a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement\r\nactions against hackers.\r\nSource: https://therecord.media/darkside-ransomware-gang-says-it-lost-control-of-its-servers-money-a-day-after-biden-threat/\r\nhttps://therecord.media/darkside-ransomware-gang-says-it-lost-control-of-its-servers-money-a-day-after-biden-threat/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://therecord.media/darkside-ransomware-gang-says-it-lost-control-of-its-servers-money-a-day-after-biden-threat/"
	],
	"report_names": [
		"darkside-ransomware-gang-says-it-lost-control-of-its-servers-money-a-day-after-biden-threat"
	],
	"threat_actors": [],
	"ts_created_at": 1775434136,
	"ts_updated_at": 1775791239,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/779eb2388be2f1f3309d91d8528f6bbf8b81870e.pdf",
		"text": "https://archive.orkl.eu/779eb2388be2f1f3309d91d8528f6bbf8b81870e.txt",
		"img": "https://archive.orkl.eu/779eb2388be2f1f3309d91d8528f6bbf8b81870e.jpg"
	}
}