{
	"id": "a9ffd2f9-6d19-4a13-8281-600f2158c24c",
	"created_at": "2026-04-06T00:19:40.367516Z",
	"updated_at": "2026-04-10T03:20:50.251703Z",
	"deleted_at": null,
	"sha1_hash": "85b09c4bc3e9537b2a4f6660d4cde637d374ebaa",
	"title": "DarkSide affiliates claim gang's bitcoin deposit on hacker forum",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1174313,
	"plain_text": "DarkSide affiliates claim gang's bitcoin deposit on hacker forum\r\nBy Ionut Ilascu\r\nPublished: 2021-05-21 · Archived: 2026-04-05 16:45:11 UTC\r\nSince the DarkSide ransomware operation shut down a week ago, multiple affiliates have complained about not getting paid\r\nfor past services and issued a claim for bitcoins in escrow at a hacker forum.\r\nRussian-language cybercriminal communities typically have an escrow system to avoid scams between sellers and buyers.\r\nFor ransomware operations, the deposit is a clear statement that they mean big business.\r\nTo gain the trust of potential partners and expand the operation, DarkSide deposited 22 bitcoins on the popular hacker forum\r\nXSS. The wallet is managed by the site’s administrator, which in this case acts as a guarantor for the gang and an arbitrator\r\nif a dispute occurs.\r\nhttps://www.bleepingcomputer.com/news/security/darkside-affiliates-claim-gangs-bitcoin-deposit-on-hacker-forum/\r\nPage 1 of 4\n\nhttps://www.bleepingcomputer.com/news/security/darkside-affiliates-claim-gangs-bitcoin-deposit-on-hacker-forum/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nREvil ransomware last year deposited $1 million worth of Bitcoin to a different hacking forum to attract new recruits into\r\nthe operation. This move showed that they trusted the forum administrator with the money and that there was plenty of\r\nmoney to be made.\r\nLast week, DarkSide closed shop and informed affiliates that the decision came after losing access to their public-facing\r\nservers and it was \"due to the pressure from the US\" after the attack on Colonial Pipeline.\r\nUnpaid debts\r\nDarkSide’s dissolving of the ransomware-as-a-service (RaaS) operation was abrupt and clearly left some unfinished\r\nbusiness. Five partners have complained that the operators owed them money from paid ransoms or from hacking services:\r\nThe first affiliate asking for claim states that they were the 'pentester' for an attack and was owed 80% of the ransom\r\npayment. However, after the victim paid, the DarkSide operators stated they no longer had access to the funds and the\r\naffiliate could use the deposit at XSS to receive payment\r\nThe second affiliate states that they had bitcoins left for them on the affiliate portal but had to rush to their relatives\r\nbefore they could claim them\r\nA third affiliate states that they too were a 'pentester' and had a ransom payment right before the DarkSide operation\r\nshut down. This affiliate states they sent proof to the XSS admin\r\nA fourth affiliate states that they worked on corporate breaches but never received their last $150,000 payment\r\nThe fifth and final affiliate states that there was a $72,000 made to them on the affiliate portal but could not collect it\r\nbefore the operation closed due to health reasons\r\nIn the case of the first claim issued on March 14, the forum administrator who is acting as arbitrator, approved compensation\r\nfrom DarkSide’s deposit. They also asked others to come forward if they have cause.\r\nFour days later, the second claim appeared, followed by another three on March 19 and 20. None of these received a reply\r\nfrom the forum administrator.\r\nDarkSide became known in August 2020 and became one of the most prolific ransomware groups. In nine months, the\r\noperation made at least $90 million from ransoms.\r\nIn just one week, the gang collected about $9 million from two attacks: Colonial Pipeline and German chemical distribution\r\ncompany Brenntag.\r\nEven if DarkSide shut down, there are still victims being extorted. Affiliates have received the corresponding decryption\r\nkeys to continue negotiations with victim companies separately.\r\nh/t 3xp0rt\r\nhttps://www.bleepingcomputer.com/news/security/darkside-affiliates-claim-gangs-bitcoin-deposit-on-hacker-forum/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/darkside-affiliates-claim-gangs-bitcoin-deposit-on-hacker-forum/\r\nhttps://www.bleepingcomputer.com/news/security/darkside-affiliates-claim-gangs-bitcoin-deposit-on-hacker-forum/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/darkside-affiliates-claim-gangs-bitcoin-deposit-on-hacker-forum/"
	],
	"report_names": [
		"darkside-affiliates-claim-gangs-bitcoin-deposit-on-hacker-forum"
	],
	"threat_actors": [],
	"ts_created_at": 1775434780,
	"ts_updated_at": 1775791250,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/85b09c4bc3e9537b2a4f6660d4cde637d374ebaa.pdf",
		"text": "https://archive.orkl.eu/85b09c4bc3e9537b2a4f6660d4cde637d374ebaa.txt",
		"img": "https://archive.orkl.eu/85b09c4bc3e9537b2a4f6660d4cde637d374ebaa.jpg"
	}
}