{
	"id": "f071f88b-dba2-4c89-93f2-d37bc05f3db6",
	"created_at": "2026-04-06T01:31:06.084513Z",
	"updated_at": "2026-04-10T13:11:32.842311Z",
	"deleted_at": null,
	"sha1_hash": "c964cfc2d40ae641c55b85aadd4803651b47c768",
	"title": "DarkSide Ransomware Gang Quits After Servers, Bitcoin Stash Seized",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 85440,
	"plain_text": "DarkSide Ransomware Gang Quits After Servers, Bitcoin Stash\r\nSeized\r\nPublished: 2021-05-16 · Archived: 2026-04-06 01:19:56 UTC\r\nThe DarkSide ransomware affiliate program responsible for the six-day outage at Colonial Pipeline this week\r\nthat led to fuel shortages and price spikes across the country is running for the hills. The crime gang announced it\r\nwas closing up shop after its servers were seized and someone drained the cryptocurrency from an account the\r\ngroup uses to pay affiliates.\r\n“Servers were seized (country not named), money of advertisers and founders was transferred to an unknown\r\naccount,” reads a message from a cybercrime forum reposted to the Russian OSINT Telegram channel.\r\nhttps://krebsonsecurity.com/2021/05/darkside-ransomware-gang-quits-after-servers-bitcoin-stash-seized/\r\nPage 1 of 2\n\n“A few hours ago, we lost access to the public part of our infrastructure,” the message continues, explaining the\r\noutage affected its victim shaming blog where stolen data is published from victims who refuse to pay a ransom.\r\n“Hosting support, apart from information ‘at the request of law enforcement agencies,’ does not provide any other\r\ninformation,” the DarkSide admin says. “Also, a few hours after the withdrawal, funds from the payment server\r\n(ours and clients’) were withdrawn to an unknown address.”\r\nDarkSide organizers also said they were releasing decryption tools for all of the companies that have been\r\nransomed but which haven’t yet paid.\r\n“After that, you will be free to communicate with them wherever you want in any way you want,” the instructions\r\nread.\r\nThe DarkSide message includes passages apparently penned by a leader of the REvil ransomware-as-a-service\r\nplatform. This is interesting because security experts have posited that many of DarkSide’s core members are\r\nclosely tied to the REvil gang.\r\nThe REvil representative said its program was introducing new restrictions on the kinds of organizations that\r\naffiliates could hold for ransom, and that henceforth it would be forbidden to attack those in the “social sector”\r\n(defined as healthcare and educational institutions) and organizations in the “gov-sector” (state) of any country.\r\nAffiliates also will be required to get approval before infecting victims.\r\nThe new restrictions came as some Russian cybercrime forums began distancing themselves from ransomware\r\noperations altogether. On Thursday, the administrator of the popular Russian forum XSS announced the\r\ncommunity would no longer allow discussion threads about ransomware moneymaking programs.\r\n“There’s too much publicity,” the XSS administrator explained. “Ransomware has gathered a critical mass of\r\nnonsense, bullshit, hype, and fuss around it. The word ‘ransomware’ has been put on a par with a number of\r\nunpleasant phenomena, such as geopolitical tensions, extortion, and government-backed hacks. This word has\r\nbecome dangerous and toxic.”\r\nIn a blog post on the DarkSide closure, cyber intelligence firm Intel 471 said it believes all of these actions can be\r\ntied directly to the reaction related to the high-profile ransomware attacks covered by the media this week.\r\n“However, a strong caveat should be applied to these developments: it’s likely that these ransomware operators are\r\ntrying to retreat from the spotlight more than suddenly discovering the error of their ways,” Intel 471 wrote. “A\r\nnumber of the operators will most likely operate in their own closed-knit groups, resurfacing under new names\r\nand updated ransomware variants. Additionally, the operators will have to find a new way to ‘wash’ the\r\ncryptocurrency they earn from ransoms. Intel 471 has observed that BitMix, a popular cryptocurrency mixing\r\nservice used by Avaddon, DarkSide and REvil has allegedly ceased operations. Several apparent customers of the\r\nservice reported they were unable to access BitMix in the last week.”\r\nSource: https://krebsonsecurity.com/2021/05/darkside-ransomware-gang-quits-after-servers-bitcoin-stash-seized/\r\nhttps://krebsonsecurity.com/2021/05/darkside-ransomware-gang-quits-after-servers-bitcoin-stash-seized/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://krebsonsecurity.com/2021/05/darkside-ransomware-gang-quits-after-servers-bitcoin-stash-seized/"
	],
	"report_names": [
		"darkside-ransomware-gang-quits-after-servers-bitcoin-stash-seized"
	],
	"threat_actors": [],
	"ts_created_at": 1775439066,
	"ts_updated_at": 1775826692,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c964cfc2d40ae641c55b85aadd4803651b47c768.pdf",
		"text": "https://archive.orkl.eu/c964cfc2d40ae641c55b85aadd4803651b47c768.txt",
		"img": "https://archive.orkl.eu/c964cfc2d40ae641c55b85aadd4803651b47c768.jpg"
	}
}