{
	"id": "07f4ec35-e3b7-4d68-b936-2917b24f681c",
	"created_at": "2026-04-06T00:18:48.564587Z",
	"updated_at": "2026-04-10T03:20:38.520594Z",
	"deleted_at": null,
	"sha1_hash": "d6d91844fd3fe67041b5aaad7ac793aa8adfc767",
	"title": "Elliptic Follows Bitcoin Ransoms Paid by Ransomware Victims",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 50794,
	"plain_text": "Elliptic Follows Bitcoin Ransoms Paid by Ransomware Victims\r\nBy Dr. Tom Robinson\r\nArchived: 2026-04-05 17:03:31 UTC\r\nWhat does Elliptic's analysis tell us about DarkSide, the cybercrime group that held the US's energy infrastructure\r\nto ransom this week?\r\nUpdated: 15 May 2021\r\nElliptic clients can now use our transaction screening software to screen deposits for links to this high-profile\r\nincident.\r\nElliptic has identified the Bitcoin wallet used by the DarkSide ransomware group to receive ransom payments\r\nfrom its victims, based on our intelligence collection and analysis of blockchain transactions. This wallet received\r\nthe 75 BTC payment (worth $4.4 million at the time of the transaction) made by Colonial Pipeline on May 8,\r\nfollowing the crippling cyberattack on its operations - leading to widespread fuel shortages in the US.\r\nOur analysis shows that the wallet has been active since 4th March 2021 and has received 57 payments from 21\r\ndifferent wallets. Some of these payments directly match ransoms known to have been paid to DarkSide by other\r\nvictims, such as 78.29 BTC (also worth $4.4 million at the time of the transaction) sent by chemical distribution\r\ncompany Brenntag on May 11.\r\nIn fact the affiliate’s share (the part of the ransom that goes to the deployer of the malware) of both the Colonial\r\nPipeline and Brenntag ransom payments were sent to the same Bitcoin address, suggesting that the same party was\r\nresponsible for infecting both of these businesses.\r\nIn addition, our analysis shows that a previously unreported ransom payment for ~$320,000 was made to\r\nDarkSide on the 10th May: the bitcoins originated from the same exchange used by Colonial Pipeline.\r\nIn total, the DarkSide wallet has received Bitcoin transactions since March with a total value of $17.5 million.\r\nRansoms associated with previous attacks were paid to other wallets.\r\nWhere is Darkside sending the bitcoins?\r\nWe can also use blockchain analysis to follow the money trail and determine where DarkSide is sending its\r\nransomware proceeds, to launder them or convert them to cash.\r\nIt has been reported within the past hours that DarkSide itself has ceased operations and has had its funds seized -\r\nand indeed their wallet was emptied of the $5 million in Bitcoin it contained on Thursday afternoon. There has\r\nbeen speculation that the bitcoins were seized by the US government - if that is the case they didn’t actually seize\r\nmost of Colonial Pipeline’s ransom payment - the majority of that was moved out of the wallet on the 9th May.\r\nhttps://www.elliptic.co/blog/elliptic-follows-bitcoin-ransoms-paid-by-darkside-ransomware-victims\r\nPage 1 of 2\n\nBut by tracing previous outflows from the wallet, we can gain insights into how DarkSide and its affiliates were\r\nlaundering their previous proceeds. What we find is that 18% of the Bitcoin was sent to a small group of\r\nexchanges. This information will provide law enforcement with critical leads to identify the perpetrators of these\r\nattacks.\r\nAn additional 4% has been sent to Hydra, the world’s largest darknet marketplace, servicing customers in Russia\r\nand neighboring countries. As we revealed in previous research, Hydra offers cash-out services alongside\r\nnarcotics, hacking tools and fake IDs. These allow Bitcoin to be converted into gift vouchers, prepaid debit cards\r\nor cash Rubles. If you’re a Russian cybercriminal and you want to cash-out your crypto, then Hydra is an\r\nattractive option.\r\nWhat can be done about this?\r\nBy identifying this wallet, Elliptic’s clients, including financial institutions, crypto exchanges and fintechs will\r\nnow be alerted to any client deposits that originate from the DarkSide wallet. By using our transaction and wallet\r\nscreening tools they can ensure that DarkSide and other ransomware operators cannot cash-out or exchange their\r\nBitcoin proceeds, disincentivizing this activity. \r\nElliptic’s law enforcement clients can also use our software to trace these funds and seek to identify those\r\nresponsible for these crippling cyber attacks.\r\nLearn more about how Elliptic helps crypto businesses and financial institutions manage their cryptoasset risk. \r\nIf you don't already have Elliptic backing up your crypto AML compliance operations already, you can schedule a\r\ndemo today:\r\nSCHEDULE A DEMO\r\nSource: https://www.elliptic.co/blog/elliptic-follows-bitcoin-ransoms-paid-by-darkside-ransomware-victims\r\nhttps://www.elliptic.co/blog/elliptic-follows-bitcoin-ransoms-paid-by-darkside-ransomware-victims\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.elliptic.co/blog/elliptic-follows-bitcoin-ransoms-paid-by-darkside-ransomware-victims"
	],
	"report_names": [
		"elliptic-follows-bitcoin-ransoms-paid-by-darkside-ransomware-victims"
	],
	"threat_actors": [],
	"ts_created_at": 1775434728,
	"ts_updated_at": 1775791238,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d6d91844fd3fe67041b5aaad7ac793aa8adfc767.pdf",
		"text": "https://archive.orkl.eu/d6d91844fd3fe67041b5aaad7ac793aa8adfc767.txt",
		"img": "https://archive.orkl.eu/d6d91844fd3fe67041b5aaad7ac793aa8adfc767.jpg"
	}
}