RANSOMWARE PAYMENTS: How the Ransom Amount moves around on the Dark Web
NOTE: This Research Article focuses on Ransomware Payments that are being circulated among various nefarious channels on the Dark Web. This will give you a brief on how Ransomware Operators are rotating/passing their ransom in various Cyber Crime Activities underground.
INDEX
INTRODUCTION
CASE 1: AKIRA RANSOMWARE
EXPLORING AKIRA WALLETS
AKIRA RANSOM PAYMENTS
UNWINDING WALLET 1: bc1qr0pqfghr9cksfc5arr2rak3lt2y50v03pc76nh
UNWINDING WALLET 2: bc1qpwwtck0zhzrj56fxeayz6wz5546nlp607qzpvh
UNWINDING WALLET 3: bc1qandfxc4knaf943njca77edl9mmegzs83tv8lpx
AKIRA RANSOMWARE - BITCOIN LAUNDERING VIA EXCHANGE
AKIRA IN CONNECTION WITH OTHER DARK WEB SERVICES
CASE 2: DARKSIDE RANSOMWARE
EXPLORING DARKSIDE WALLETS: COLONIAL PIPELINE ATTACK
DARKSIDE IN CONNECTION WITH OTHER DARK WEB SERVICES
RESUMING BLACKBASTA WALLET INVESTIGATION
DARKSIDE RANSOM PAYMENTS
CASE 3: BLACKBASTA RANSOMWARE
EXPLORING BLACKBASTA WALLET
UNWINDING WALLET 1: 1GnkF1JtPT6EJcgJRFjArKZHjQs873eUeE
UNWINDING WALLET 2: 13rhLTYUKo9ijrR8vinojZqoZTpTe1fm8c
BLACKBASTA RANSOM PAYMENTS
BLACKBASTA RANSOMWARE - BITCOIN LAUNDERING VIA MINING POOLS
BLACKBASTA IN CONNECTION WITH OTHER DARK WEB SERVICES
CASE 4: LOCKBIT RANSOMWARE
EXPLORING LOCKBIT WALLETS
UNWINDING WALLET 1: 1KsiEH5ZrfS3XhLVUU758rMKnP65kz2GYz
UNWINDING WALLET 2: bc1q9x0sg3w0gwl0yfyml78zp7mdpuan005scwvytu
ASTONISHING REVELATION: LOCKBIT (Susp.) PARTNERS WITH KARAKURT
MYSTERIOUS WALLET
LOCKBIT RANSOM PAYMENT
LOCKBIT IN CONNECTION WITH OTHER DARK WEB SERVICES
CONCLUSION
KEY FINDINGSINTRODUCTION
It is a well-known fact that the Ransomware Payments get rotated multiple times before getting stashed in a Cold/Hot Wallet, to evade the prying eyes of feds/investigators. Generally, such WHALE accounts are only active after months or (even) years after the heist.
Here, we will be performing an in-depth exploration of Ransomware Payments and how they are being connected (in)directly to other wicked services on the Dark Web. As a part of this, we are going to examine the 4 most popular Ransomware Players who are prevalent on the Dark Web.
NOTE: Here, we are NOT going to cover the in-depth technicalities of Ransomware, but rather we are going to do a forensic investigation on the Bitcoin Wallets held by the Ransomware Operators to examine how the money is being spent on different tangents at different intervals on the Dark Web.
By the end of this article you will see the following Ransomware Gains:-
AKIRA: 19M USD
BLACKBASTA: 9M USD
DARKSIDE: 11M USD
LOCKBIT: 10M USDCASE 1: AKIRA RANSOMWARE
During my investigation, I found 3 active Bitcoin (BTC) Wallets maintained by AKIRA Group.
bc1qandfxc4knaf943njca77edl9mmegzs83tv8lpx: July 13,2023
bc1qr0pqfghr9cksfc5arr2rak3lt2y50v03pc76nh: September 1,2023
bc1qpwwtck0zhzrj56fxeayz6wz5546nlp607qzpvh: August 29, 2023NOTE: The date here refers to the Wallet Activation Date where the first transaction hit the wallets. This parameter would help us to draw a timeline for the heist events.
EXPLORING AKIRA WALLETS
Among the 3, this address: bc1qr0pqfghr9cksfc5arr2rak3lt2y50v03pc76nh had seen the highest number of ransom amounts found in their wallet i.e. clocked at 38.5 BTC. It is also observed that this wallet had seen only a single transaction (tx).
UNWINDING WALLET 1: bc1qr0pqfghr9cksfc5arr2rak3lt2y50v03pc76nh
Exploring deep into that address, we will come across 3 other Wallet addresses with high balances such as:-
bc1q5yuwudlvmy5thstd0vcj2rtwv2xnp8rj2uw8paaky7tduarhetvqtgz4e9:147BTC
bc1qsqg9d9pxgh2uvcesvjp07xa96knvjh2plz8k09mqdyzs7v74grfs7cg4fm: 104BTC
bc1qs3n4hyexhhdjkvldvfjr44hjj2frwyv6jkd8wevess3kjcdun5xqrzcnf7: 60BTC
From the above Wallet Addresses, it can be deduced that AKIRA had amassed a massive amount of ~311 BTC (which is equivalent to $10M or $10,828,615.70 ATTOW) in this Heist Series which is dated September 1, 2023.
On a further deep dive by exploring another chain of same wallet address, it is found that a suspected wallet: bc1qlaepx07qr7zvtaqtakt0q0asmduet3z69g5s6x of the group had about 51 BTC in October 2023.
Wallet: bc1qlaepx07qr7zvtaqtakt0q0asmduet3z69g5s6x
FIRST SEEN: October 20, 2023
LAST SEEN: October 24, 2023
AMOUNT (IN BTC): 51.56534349
AMOUNT (IN USD): $1,873,291UNWINDING WALLET 2: bc1qpwwtck0zhzrj56fxeayz6wz5546nlp607qzpvh
By exploring the 3rd BTC Address of AKIRA Wallet: bc1qpwwtck0zhzrj56fxeayz6wz5546nlp607qzpvh (which had seen 3BTC tx), we explored another 2 Wallet addresses with high balance. They are:-
bc1q7ea0g6nrg4g2qkcngl8d2fqp6k6s8rugnjvj3l7pal66tz2jzz3saeldyz: 137BTC
bc1qquwswlafqe24tge30a7gcj9tecxjt2umzxa6rhc9z5ql7ghx2qts87yejs: 75BTC
From the 3rd Wallet Address, it can be deduced that AKIRA had amassed a whopping amount of ~212BTC (which is equivalent to $7,381,564.40 ATTOW) in this Heist Series which is dated on August 29, 2023.
UNWINDING WALLET 3: bc1qandfxc4knaf943njca77edl9mmegzs83tv8lpx
By exploring 1st BTC Address of AKIRA Wallet: bc1qandfxc4knaf943njca77edl9mmegzs83tv8lpx (which had seen 2.4 BTC tx), we explored another Wallet address with a high balance. It is:-
bc1qXXXXXXXXXXXXupqkcsXXXXXXXX: 2.7BTC
From this single wallet, it can be estimated that AKIRA Group had extorted $93,887.10 (ATTOW), in this Heist Series which is dated July 13, 2023.
AKIRA RANSOM PAYMENTS
Hence, by cataloging the results of all 3 major wallets, we can conclude that AKIRA Ransomware had made about $19M in just 4 months (July to September).
NOTE: Here, we are only discussing a particular date where Threat Actors had actively moved their funds. This does not mean that Threat Actors have only these wallets. They may have more Hot/Cold Wallets, but in this scenario, we are picking WALLET ACTIVATION DATE as an indicator. So the group may have more funds than the above-mentioned figure.
AKIRA RANSOMWARE — BITCOIN LAUNDERING VIA EXCHANGE
During the forensic analysis of the Bitcoin Addresses of AKIRA, it was found that the group had multiple connections with underground dark web services.
It was also uncovered that the group had stashed a decent amount in fraudulent Bitcoin Exchanges such as MINE.EXCHANGE; maintains the history of providing dirt (tainted bitcoins) money to its legit users in exchange for fiat currency (when they sign-up to purchase BTC from the exchange).
This came to the limelight when many of its users started to get blacklisted while trying to utilize the received bitcoins in other services or reputed exchanges. As a result, genuine users get blocked/blacklisted due to the presence of tainted money in their wallet.
TAINTED BTC → SHADY EXCHANGE -> TAINTED BTC -> LEGIT USERS
This is one of the effective ways of Money Laundering carried out by the shady exchanges.
AKIRA IN CONNECTION WITH OTHER DARK WEB SERVICES
While tracing out the highest balance account from the Blockchain, it is found that AKIRA had contributed to a Bitcoin Wallet which has a history of fraudulent transactions [bc1qng0keqn7cq6p8qdt4rjnzdxrygnzq7nd0pju8q]
BTC Address: bc1qng0keqn7cq6p8qdt4rjnzdxrygnzq7nd0pju8q
FIRST SEEN: JUNE 17,2021
LAST SEEN: TODAY (as it's a highly active wallet)
AMOUNT IN BTC: 168,925
AMOUNT IN USD: $6 Billion (~$6,007,986,550)Following is a timeline chart that depicts the relationship of AKIRA Ransomware with other malicious operators on the Dark Web.
CASE 2: DARKSIDE RANSOMWARE
There are about 11 Bitcoin Wallet Addresses attributed to DarkSide Ransomware Group, with more than 6 BTC in 5 Wallets.
15WpW77a5zuMYUENyW3tFAvovgjbURBNdc
1FysrVjFC8y1exHiSXWfHxWwHqwDEmDGcT
12WLsWxC12hDWRAPYdaVCKxu3u5atL9DFc
1EPJax1dzPr79yCuGM3BxHNRhpKesYnM4Y
122rgzWWjHypxz51XydiuRvzATqYvEFoAk
1HjFQLdGP4DFJR1TgXk9WUiGFMoomMmyax
1KMV2LUcTJ8KF2chY32ErMtGUWXvRvWfrC
16hJwHm4c6M2A6CytimipRDVhUeXVD2QrB
bc1q2sewgrnau4e4gvceh8ykzf8lqxawpluu0k0607
bc1qvya30xewdeatneqj90ypvzq4kjzgyz8cnvu7rm
bc1q9jy4pq5su9slh56gryydwkk0qjnqxvfwzm7xl6NOTE: Here, as there are large number of addresses, we would be only focusing on the high-balance wallet addresses.
EXPLORING DARKSIDE WALLETS: COLONIAL PIPELINE ATTACK
There are 2 wallets with the highest balance clocked at 107 BTC, that are associated with the Colonial Pipeline Attack, which happened on May 7, 2021. They are:-
bc1q2sewgrnau4e4gvceh8ykzf8lqxawpluu0k0607
bc1qvya30xewdeatneqj90ypvzq4kjzgyz8cnvu7rm
Upon Investigation, it was found that Colonial Pipeline had made payment from GEMINI Exchange to DarkSide Ransomware Group at 4:12 PM UTC on May 8, 2021.
It is also notable that though the victim paid 75 BTC, the FBI managed to recover 64BTC, however, the other 11BTC was sent to a wallet that DarkSide holds control of. While tracing it, it was found that after splitting amounts at several rounds (which is also known as PeelChain), 5 BTC had been deposited to this address: 1LsYc2U8KJ3163pYRukMSs4fUXaXLh4ePD which is a Binance Wallet AG.
From the Wallet details, it is clear that this wallet had gained about 463 BTC from April 2021 to Oct 2023. This could be either DarkSide Group or any of their associated group that links to DarkSide directly.
DARKSIDE IN CONNECTION WITH OTHER DARK WEB SERVICES
By examining meticulously, it is found that this address had deposited about 50 BTC to another fraudulent Wallet bc1qm34lsc65zpw79lxes69zkqmk6ee3ewf0j77s3h which is popular in hosting Youtube Scam, Crypto Investment Scam, Phishing, Instagram Scam, Bitcoin Mining Scam etc.
This address is a BINANCE HOT WALLET which amassed a mammoth amount of 42,852,767BTC (about 1 Trillion: $1,574,530,647,327); active still now.
RESUMING BLACKBASTA WALLET INVESTIGATION
Exploring another branch of Blockchain of DarkSide Wallets, it is evident that the group had laundered money via BITZLATO Exchange (with a fee of $25); whose founder had been charged for money laundering by the FBI.
NOTE: Once the funds are laundered, it is a herculean task to pinpoint each micro-transaction as many leads to other branches; hence get clubbed with other chains ultimately, evading detection.
DARKSIDE RANSOM PAYMENTS
While inspecting the high-confidence DarkSide Wallets, it can be estimated that the group had gained about 307 BTC ($11M) in the single heist series.
NOTE: There could be more interconnected wallets that are not yet picked up/detected. Hence, the quoted amount is not a ballpark figure. Also note that we haven't picked other wallet addresses of DarkSide here.
CASE 3: BLACKBASTA RANSOMWARE
During the investigation, I found 2 active Bitcoin (BTC) Wallets maintained by BLACKBASTA Group.
13rhLTYUKo9ijrR8vinojZqoZTpTe1fm8c: Oct 11, 2022
1GnkF1JtPT6EJcgJRFjArKZHjQs873eUeE: Dec 8, 2022
EXPLORING BLACKBASTA WALLET
It is found that the address 1GnkF1JtPT6EJcgJRFjArKZHjQs873eUeE had seen about 29.5BTC ransom collected from victims, dated December 8, 2022.
UNWINDING WALLET 1: 1GnkF1JtPT6EJcgJRFjArKZHjQs873eUeE
NOTE: Here, first we are going to uncover the possible addresses associated with BLACKBASTA, and then we will proceed with the malicious services involved with this Ransomware Group.
By exploring 1st BTC Address of BLACKBASTA Wallet: 1GnkF1JtPT6EJcgJRFjArKZHjQs873eUeE (which had seen 29.5BTC), we explored another Wallet address with a high balance. It is:
364P23UEDWfe1Yx1P8QEfgeTdf1DodLSgy: 327BTC
It’s a KRAKEN Hot Wallet that has been active from October 5, 2022, to March 30, 2023. This could either be a wallet of BLACKBASTA or might be an ally of the group with a direct connection. Notably, the wallet got emptied this year (2023), and the first transaction seen on this wallet is October 5, 2022, which matches with the BLACKBASTA activity recorded on the blockchain.
Apart from the above address, another high-balance Wallet was found which is connected to this heist series:
bc1q7nezx675xwt8whm4c4r8qw30peksmqpnf8fuxz856kqa0c86kjusnkwwvp: 115 BTC
The above address has a single transaction of about 115 BTC (at a go) on December 7, 2022, which has a direct connection with the confirmed BlackBasta Address (1GnkF1JtPT6EJcgJRFjArKZHjQs873eUeE). The relevancy of the timestamp also solidifies the fact that the Wallet Holder is a Ransomware Group Member.
While analyzing the wallet transactions, it is also found that there is another High-Balance Wallet identified.
bc1q6jgn4mry6h23aw6jnl3ac7m2r4442vm5sjqccw: 5,144 BTC which is active since Feb 2022 till now.
Notably, the same address is being tied to North Korean Threat Actor KIMSUKY, whose Wallets had seen receiving funds from this same unknown wallet. You can find details here.
This underlines the fact that: The amount transferred from this unknown wallet is a common parameter for both State-Sponsored Threat Actors and Ransomware Players. Hence, this possibility points fingers at any Mixer/Tumbler services on the Dark Web.
Another wallet sprang up during the investigation:-
bc1qmm6s7tj04dtje0kpgaz76vyv4xyh607j4ruegm309c9s7cqjtk3s5557sw: 107 BTC
UNWINDING WALLET 2: 13rhLTYUKo9ijrR8vinojZqoZTpTe1fm8c
We found another wallet which is in the sending list of the above address: bc1qpah3su4gw5525twheach3jwn328ecywrhrprta which had seen a balance of about 7 BTC.
As both wallets had seen the same timestamp (Oct 18–19, 2022); we can estimate that the found address is associated with DARKSIDE. Another interesting fact here to note is:-
Here, we can see the above (found) address had received about 7.6 BTC on October 19, 2022; however DARKSIDE had remained silent for 4 months, before transferring the amount to another major wallet which holds about 150 BTC in February 2023 i.e:
bc1qnqh0uyytk5642078tnu9c8faum6qt4msvxmlmv: 150BTC
BLACKBASTA RANSOM PAYMENTS
By analyzing the above 2 wallets, it can be estimated that the group had made about 265 BTC (about $9M — to be precise: $9,71,8000 ATTOW) in this heist series which happened/operated between Oct 2022 and February 2023.
It is also noted that the addresses of BLACKBASTA are actively involved with KRAKEN Exchange, as many of the addresses point back to the hot wallets of KRAKEN. Some are left with hefty amounts too. On a reputation check for KRAKEN, it was found that the company was charged with BTC Laundering in 2022. You may find details here.
It is interesting to find that there are few addresses with high balance,
and ultimately it leads to KRAKEN Exchange. From this, it can be deduced
that BLACKBASTA had amassed about 326 BTC recorded on December 7–8, 2022.BLACKBASTA RANSOMWARE — BITCOIN LAUNDERING VIA MINING POOLS
During analysis of both addresses, it was found that the operators of BLACKBASTA had dumped about 120 BTC at different time intervals to a Bitcoin Mining Pool named “POOLIN”; which is based out in China.
ADDRESS ASSOCIATED WITH POOLIN
1GnkF1JtPT6EJcgJRFjArKZHjQs873eUeE: BLACKBASTA dumped to POOLIN
bc1q65fuk9htaemp02a9vywyw08xntyeh95d9hyl9n: BLACKBASTA dumped to POOLIN
bc1qjwec4rlxznzgfa07r3p6qd0ynlkz4dpufztttn: BLACKBASTA dumped to POOLIN
1PxzoJJdBEZwraD8zHTfqbhyB21BRZpGRC: POOLIN WALLET
1DnXSsaqJn4Z2NaqjcH8amnGq5FztgTJnU: POOLIN WALLETBLACKBASTA IN CONNECTION WITH OTHER DARK WEB SERVICES
Following is a timeline chart that depicts the relationship of BLACKBASTA Ransomware with other malicious operators on the Dark Web.
FOOTNOTE: There are other services such as BITMEX, KUCOIN Wallet, PAXFUL, MERCADO (Brazilian Exchange), BITSTAMP; associated with BLACKBASTA Ransomware Group.
CASE 4: LOCKBIT RANSOMWARE
Upon analyzing LockBit Ransomware’s various versions (including Lockbit 2.0); we came across 4 main payment wallets used by the group. They are:-
1KsiEH5ZrfS3XhLVUU758rMKnP65kz2GYz
bc1q9x0sg3w0gwl0yfyml78zp7mdpuan005scwvytu
bc1qwx9y37xd8sznjj0yw85q9fd9qfyaur9xasc2h4
bc1qr4mhf2zqtgd45x9clfmuekf42z4eglh4aydlnk
From these wallets, we would be only focusing on 1st 2 Wallets (in-depth) which had seen 3 BTC and 2 BTC in their wallets respectively and the rest of the 2 wallets had seen a minuscule amount of bitcoin, but shall be analyzed shallowly.
EXPLORING LOCKBIT WALLETS
UNWINDING WALLET 1: 1KsiEH5ZrfS3XhLVUU758rMKnP65kz2GYz
FIRST SEEN: DECEMBER 1, 2020
LAST SEEN: DECEMBER 21, 2020
AMOUNT IN BTC: 3.16559320
AMOUNT IN USD: 115,754By checking the receiving path of this address, we came across another wallet: 3BYSMWwncf65DaPiVK6tPWvscYpfdm5CB5 with 9.94 BTC. This strengthens the fact the LockBit Group holds this wallet while inspecting the timeline, which is dated back to December 1, 2020.
NOTE: The above address had received funds from a fraudulent bitcoin wallet: 1GQdrgqAbkeEPUef1UpiTc4X1mUHMcyuGW which is a house of multiple scam campaigns such as Elon Musk Giveaway, Forex Trading Scam, etc. This wallet has been functional since 2018 and has seen a whopping amount of $316 BILLION worth of bitcoins (ATTOW) till now.
While tracing the receiver payment channels of LockBit’s main account, we came across the following address:-
ADDRESS: 37HBoGiHfQwJNFrKkEheiPDqauLJLuDoRx
FIRST/LAST SEEN: December 14, 2020
Amount in BTC: 18.29269382
Amount in USD: $663,944NOTE: Following the trail, it ended up in a Binance Hot Wallet: 1XZ71EpZkS3oHVQVdt8eQZWXWRLccS8My with a total received amount as 89,456 BTC since 2017 and the wallet got emptied recently in Oct 13, 2023.
By exploring another chain, we found another wallet from LockBit bc1qe9y4ek7uzw3c02dv3ld9m6yudvxczvhp0ryvm6: 6 BTC which has been active from March 3, 2020, to June 10, 2021.
If we aggregate the above wallets, it’s confirmed that the group holds about 34 BTC till now from this heist episode.
UNWINDING WALLET 2: bc1q9x0sg3w0gwl0yfyml78zp7mdpuan005scwvytu
FIRST SEEN: February 5, 2022
LAST SEEN: February 6, 2022
AMOUNT IN BTC: 2.87590
AMOUNT IN USD: $106,148Tracing the highest balance, it is found that 0.5 BTC had been dumped to this account on Aug 23, 2022; which had about 5.55 BTC.
Address: bc1q9lqvy9zpwjs2qypqxn0uv7zyywwd8sdt84ggkn
FIRST SEEN: August 9, 2022
LAST SEEN: October 30, 2023
AMOUNT IN BTC: 5.55552357
AMOUNT IN USD: $203,842
(This address is being seen depositing the amount to this new wallet:
bc1qyfu6rfalh6pgtld0j5zcp9z9wvf7gv626344rx which has been active since
Oct 30, 2023 and balance is not yet withdrawn).
NOTE: These addresses might not belong to LOCKBIT, but it does have
connection by sharing a bit of ransom to this address.Now resuming the activity of the main wallet…
Tracing the receiving funds of the main wallet; we came across another wallet (above) which belongs to LockBit Group and there is evidence where the ransom amount is being transferred to this account:- bc1qhx4mc6ts7lsqt2utstd6jqpgugtdmwwcye3jjv
While checking the timeline of this BTC Wallet, it is found that this also became active during the same time i.e. February 2, 2022 (Wallet 2 was active on February 5, 2022).
Hence, this brings us to bc1qhx4mc6ts7lsqt2utstd6jqpgugtdmwwcye3jjv
FIRST SEEN: February 2, 2022
LAST SEEN: February 10, 2022
Amount in BTC: 11.01014460
Amount in USD: $403,965In this context, we can’t assure that this wallet belongs to LOCKBIT, but as per the timeline; it can be understood that there is a high chance of probability for it to belong to LOCKBIT.
ASTONISHING REVELATION: LOCKBIT (Susp.) PARTNERS WITH KARAKURT
While tailing the above address, it is found that the suspected LOCKBIT Wallet had deposited about 4.410 BTC (which is translated to $161,608) to KARAKURT Ransomware Group’s wallet bc1q3xgr4z53cdaeyn03luhen24xu556y5spvyspt8 on Feb 2, 2022, 6:49 PM UTC. The same wallet is being seen in the official report of CISA which points to KARAKURT Group.
NOTE: This wallet had seen only this single transaction from LockBit. It is important to note that KARAKURT had previously associated with other ransomware groups such as CONTI and DIAVOL Ransomware Groups.
MYSTERIOUS WALLET
By checking the lowest transaction (of WALLET 2), it is found that there is a transaction of 12 BTC to the same fraudulent address, bc1qng0keqn7cq6p8qdt4rjnzdxrygnzq7nd0pju8q which we have spotted for AKIRA Wallet on February 10, 2022 (the same timeline matches here).
Hence, this underlines the fact that this criminal account is being actively used by many ransomware operators to contribute their ransom share to this wallet address.
The real question is: WHAT SERVICE DOES THIS WALLET HOLDER PROVIDE TO RANSOMWARE GROUP?
Maybe it is a Bitcoin Mixer or Mining Pool or any Dark Web Marketplaces etc. We never know until something comes up!
LOCKBIT RANSOM PAYMENT
LOCKBIT DEPOSITION
==================
1) bc1qwx9y37xd8sznjj0yw85q9fd9qfyaur9xasc2h4
Deposited maximum amount to this wallet:15oTKZ1oQgvNtJyqF8MJ9mNqKiNEeu4skG
Valid from June 2, 2018, to January 29, 2022
(Collected about 71BTC)
Here, we can consider the above wallet belongs to LOCKBIT as the main wallet
continuously funnel money to this account repeatedly.
From the above wallet, we can estimate this wallet holds about 72 BTC
2) bc1qr4mhf2zqtgd45x9clfmuekf42z4eglh4aydlnk
Deposited amount to 33633EUrKGC4d9kLiKmZrjzRsL6DUyEdaA with 2BTC as balance
received from fraudulent Binance hot wallet
3) bc1q9x0sg3w0gwl0yfyml78zp7mdpuan005scwvytu: 2.8 BTC
This is the highest wallet address which is further bifurcated to other
wallets. Hence, no high BTC wallet was found
4) 1KsiEH5ZrfS3XhLVUU758rMKnP65kz2GYz: 3 BTC
This address has been seen contributing to BITCOIN FOG - A mixing service at
various intervals. About 12 addresses of BITCOIN FOG were found with about $51K
(1.4BTC) had been transferred to those accounts during that timeline.
In total, LOCKBIT had collected about 76 BTC from this wallet heist series. By focusing on the less-received BTC Wallet of LOCKBIT (i.e. bc1qwx9y37xd8sznjj0yw85q9fd9qfyaur9xasc2h4), it is found that there is a high-balance account that had deposited some amount to confirmed (low-balance) LOCKBIT Wallet.
WALLET: bc1qdwwpcydxy6xuvy0tfmxl5dvlw0lxfljk88k83f
FIRST/LAST SEEN: JULY 28, 2021
AMOUNT (IN BTC): 9,135.64527455
AMOUNT (IN USD): 332,998,155 (332M)NOTE: The above-listed wallet could be LOCKBIT, but we don’t have substantial proof to tie it to the group (ATTOW).
While exploring another chain of LockBit transactions, it is found that about 210+ BTC transferred to ZB.com — An exchange on multiple transaction chain rotation on another LockBit heist episode, by drilling down another address chain of LockBit.
In total: LockBit might have raised about ~286 BTC during that single time frame in same heist series.
LOCKBIT IN CONNECTION WITH OTHER DARK WEB SERVICES
Following is a timeline chart that depicts the relationship of LOCKBIT Ransomware with other malicious operators on the Dark Web.
CONCLUSION
Here, we have only taken a few confirmed wallets of 4 major Ransomware Players. This signifies the fact that Ransomware Operators make use of multiple services on the Dark Web and Surface Web to tumble/mix their ransom bitcoins, to keep their track clean.
KEY FINDINGS
1. It is notable that the Threat Actor/Ransomware Operators test their initial
wallet by transferring smaller amounts between $2 to $4 (probably themselves); to ensure the functionality of their wallet address before passing it to the victims for ransom.2. Shady Bitcoin Exchanges accept the ransom amount (without conducting an AML Check) and the same tainted bitcoins are supplied to the new users of Exchanges, hence making them incriminated. It’s a surprising fact that such tumbled/tainted bitcoins are being circulated in legitimate bitcoin exchanges by trading fiat money from its users.
3. Ransomware Operators often drop a significant amount to the most blacklisted wallets, which are present in other fraudulent activities such as Stealing, Scam Campaigns, Phishing, etc.
4. Ransomware Players make use of less-known exchanges like Mercado, MexC, ZB, etc along with major exchanges like Binance, Kraken, and OKX. Most of the exchanges do face charges for Money Laundering
5. Some incidents indicate that popular hacking groups are tied with ransomware operators. This could be for the laundering activities.
6. One common parameter found in all ransomware wallets are: They made use of PEELING: A technique that is used to convert hefty transactions into multiple smaller amounts (smaller money chunks) to evade detection.
7. At times, the ransomware operators transfer their ransom to different wallets at hack/negotiation time and keep some of the wallets intact for months to evade continuous detection.
8. Ransomware Operators make use of Mining Pools to mix their bitcoin. These mining pools are based in China or Russia; which is a safe haven for criminals.
9. There is an instance in which we found a connection between KARAKURT Ransomware Group and LOCKBIT, who had deposited a decent amount to KARAKURT. This also points out that there is a common connection between 2 ransomware groups. Karakurt was previously associated with Conti and Diavol groups.
10. During the investigation, it was also uncovered that a mysterious wallet has a common connection with both AKIRA and LOCKBIT groups, where both parties had contributed a significant amount to the mysterious wallet in return for a favor that is not yet known.
11. It was observed that North Korean Threat Actors (KIMSUKY and LAZARUS) mainly shifted their focus to hack Crypto Exchanges by finding any 0-Days or other unpatched vulnerabilities, hence (indirectly) obtaining the fund of other Ransomware Groups as well, as they deposit few of the ransom in such exchanges before moving to any of their private wallets.
12. Ransomware Operators also spend their received ransom on various underground Dark web marketplaces to purchase any tools/web account access to make use of them on their next targeted victims.
Follow me on Twitter for interesting DarkWeb/InfoSec Short findings! ;-)
NOTE:- The article is purely Individual Research and is not subjected to be used/published anywhere without the Author’s consent.
