Blockchain analytics firm Elliptic says it has identified the Bitcoin wallet that hackers used to receive ransom payment from Colonial Pipeline, one of the largest fuel pipeline operators in the US.
The Eastern European criminal group DarkSide is linked to the ransomware attack that compromised the computer system of Colonial Pipeline, causing several days of outage, fuel shortage, and gas price increase.
Elliptic says that DarkSide’s Bitcoin wallet received 75 BTC from Colonial Pipeline on May 8th. An analysis of blockchain transactions also reveals that the wallet received 57 payments from 21 different wallets, which include the 78.29 BTC from Brenntag, indicating that the chemical distribution company was also a victim of DarkSide.
“The affiliate’s share (the part of the ransom that goes to the deployer of the malware) of both the Colonial Pipeline and Brenntag ransom payments were sent to the same Bitcoin address, suggesting that the same party was responsible for infecting both of these businesses.”
The firm says it also discovered a previously unreported ransom payment of around $320,000 in BTC sent on May 10th from the same exchange used by Colonial Pipeline.
The criminal group’s wallet has been active since March 4th, and Elliptic says it has so far received a total of $17.5 million in crypto payments.
The US government is speculated to have seized $5 million worth of BTC from the wallet, but Elliptic says that even if this is the case, DarkSide still managed to move the majority of the ransom payment out of the compromised wallet on May 9th.
The analytics firm says that 18% of the coins were sent to a small group of exchanges and 4% went to Hydra, the largest darknet marketplace that offers cash-out services.