{
	"id": "50dc5b10-1e79-40f0-b895-437ef487dbf4",
	"created_at": "2026-04-06T00:09:28.425374Z",
	"updated_at": "2026-04-10T03:20:41.110264Z",
	"deleted_at": null,
	"sha1_hash": "86fe06b5c5eb51544f5387712f26c0b4774aae5f",
	"title": "DarkSide Ransomware has Netted Over $90 million in Bitcoin",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 976945,
	"plain_text": "DarkSide Ransomware has Netted Over $90 million in Bitcoin\r\nBy Dr. Tom Robinson\r\nArchived: 2026-04-05 20:20:39 UTC\r\nElliptic was first to identify the Bitcoin wallet used by the DarkSide ransomware group to receive a 75 Bitcoin\r\nransom payment from Colonial Pipeline. \r\nColonial was the victim of a ransomware attack on May 7, 2021, which led to a voluntary shutdown of the main\r\npipeline supplying 45% of fuel to the East Coast of the United States. The attack was described as the worst\r\ncyberattack to date on U.S. critical infrastructure.\r\nIn this new report we expand our original analysis to examine all of the wallets used by DarkSide to receive\r\nBitcoin ransoms from victims over the past nine months.\r\nThis relies on Elliptic’s sophisticated blockchain analysis platform, combined with open source intelligence\r\ngathered by our team of analysts. To our knowledge, this analysis includes all payments made to DarkSide,\r\nhowever further transactions may yet be uncovered, and the figures here should be considered a lower bound.\r\nOver $90 million extracted from 47 victims\r\nIn total, just over $90 million in Bitcoin ransom payments were made to DarkSide, originating from 47 distinct\r\nwallets. According to DarkTracer, 99 organisations have been infected with the DarkSide malware - suggesting\r\nthat approximately 47% of victims paid a ransom, and that the average payment was $1.9 million.\r\nThe chart below shows the total value and number of ransom payments made to DarkSide over the past nine\r\nmonths. May was set to be a record month, until DarkSide reportedly shut down its operations on May 13, and its\r\nBitcoin wallet was emptied. \r\nhttps://www.elliptic.co/blog/darkside-ransomware-has-netted-over-90-million-in-bitcoin\r\nPage 1 of 3\n\nSharing the spoils\r\nDarkSide is an example of “Ransomware as a Service” (RaaS). In this operating model, the malware is created by\r\nthe ransomware developer, while the ransomware affiliate is responsible for infecting the target computer system\r\nand negotiating the ransom payment with the victim organisation. This new business model has revolutionised\r\nransomware, opening it up to those who do not have the technical capability to create malware, but are willing and\r\nable to infiltrate a target organisation.\r\nAny ransom payment made by a victim is then split between the affiliate and the developer. In the case of\r\nDarkSide, the developer reportedly takes 25% for ransoms less than $500,000, but this decreases to 10% for\r\nransoms greater than $5 million. This split of the ransom payment is very clear to see on the blockchain, with the\r\ndifferent shares going to separate Bitcoin wallets controlled by the affiliate and developer. In total, the DarkSide\r\ndeveloper has received bitcoins worth $15.5 million (17%), with the remaining $74.7 million (83%) going to the\r\nvarious affiliates.\r\nhttps://www.elliptic.co/blog/darkside-ransomware-has-netted-over-90-million-in-bitcoin\r\nPage 2 of 3\n\nIn fact the affiliate’s share of both the Colonial Pipeline and Brenntag ransom payments were sent to the same\r\nBitcoin wallet, suggesting that the same party was responsible for infecting both of these businesses.\r\nFollowing the money\r\nUsing Elliptic’s blockchain analytics we can follow the ransom payments and see where the bitcoins are being\r\nspent or exchanged. What we find is that the majority of the funds are being sent to cryptoasset exchanges, where\r\nthey can be swapped for other cryptoassets, or fiat currency.\r\nThe majority of cryptoasset exchanges comply with anti money laundering regulations. They verify their\r\ncustomers’ identity and report suspicious activity. They also use blockchain analytics tools such as those offered\r\nby Elliptic, to check customer deposits for links to illicit activity such as ransomware. \r\nHowever some jurisdictions do not enforce these regulations, and it is to exchanges in these locations that much of\r\nthe DarkSide ransomware proceeds are being sent. Regulated cryptoasset businesses should perform careful due\r\ndiligence on the virtual asset service providers (VASPs) that they transact with. Elliptic Discovery provides risk\r\nprofiles of all major global VASPs - enabling you to to take a risk-based approach to your crypto counterparties.\r\nLearn more about how Elliptic helps crypto businesses and financial institutions manage their cryptoasset risk. \r\nSource: https://www.elliptic.co/blog/darkside-ransomware-has-netted-over-90-million-in-bitcoin\r\nhttps://www.elliptic.co/blog/darkside-ransomware-has-netted-over-90-million-in-bitcoin\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.elliptic.co/blog/darkside-ransomware-has-netted-over-90-million-in-bitcoin"
	],
	"report_names": [
		"darkside-ransomware-has-netted-over-90-million-in-bitcoin"
	],
	"threat_actors": [],
	"ts_created_at": 1775434168,
	"ts_updated_at": 1775791241,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/86fe06b5c5eb51544f5387712f26c0b4774aae5f.pdf",
		"text": "https://archive.orkl.eu/86fe06b5c5eb51544f5387712f26c0b4774aae5f.txt",
		"img": "https://archive.orkl.eu/86fe06b5c5eb51544f5387712f26c0b4774aae5f.jpg"
	}
}