KEY POINTS

  • The hackers received millions in ransom payment before shutting down last week
  • The group's Bitcoin wallet containing at least $5.3 million in cryptocurrency has been emptied
  • The group said it was ceasing operations due to pressure from the U.S. government

A group of hackers responsible for the ransomware attack on Colonial Pipeline earlier this month received millions in Bitcoin payments before shutting down operations last week, new research showed.

Darkside, the hacker group, received over $90 million in Bitcoin ransom payments from an estimated 47% of its cyberattack victims, including Colonial which reportedly paid a $5 million ransom, according to blockchain analytics from Elliptic.

“To our knowledge, this analysis includes all payments made to DarkSide, however further transactions may yet be uncovered, and the figures here should be considered a lower bound,” Tom Robinson, Elliptic’s co-founder and chief scientist, said in the report. 

The group, which the FBI said is based in Eastern Europe, received an average payment of $1.9 million from its victims and was expected to hit a record month for ransom payments in May before it ceased operations on May 13. 

"In view of the above and due to the pressure from the U.S., the affiliate program is closed. Stay safe and good luck," the group said in a message obtained by cybersecurity firm Intel 471. "The landing page, servers, and other resources will be taken down within 48 hours."

Elliptic also said that the Bitcoin wallet DarkSide used to collect ransom payments from its victims has been emptied. The wallet contained $5.3 million worth of Bitcoins before it was drained. 

DarkSide operates as a “Ransomware as a Service.” Under the operating model, the ransomware developer creates malware, while the affiliate infects the target and negotiates the ransom payment. 

Any ransom payment received by the group is split between the developer and the affiliate. In the case of DarkSide, the ransomware developer receives 25% for ransoms less than $500,000. The amount decreases to 10% for payments exceeding $5 million. 

The ransomware group’s developer received at least $15.5 million of the $90 million total ransom payments. Its affiliates received $74.7 million. The majority of the funds were sent to crypto exchanges, where they can be converted into fiat money. 

Approximately 99 organizations have fallen victim to DarkSide’s malware as of Monday, according to the criminal intelligence platform DarkTracer

After a cyber attack, Colonial said it was moving toward a partial reopening of its pipeline system -- the largest fuel network between Texas and New York After a cyber attack, Colonial said it was moving toward a partial reopening of its pipeline system -- the largest fuel network between Texas and New York Photo: AFP / JIM WATSON