How does DarkSide ransomware make $10+ million, shut down the Colonial pipeline, and hide its trace?

How to hack $10+ millions bitcoins without being arrested?!

Author: Victor Fang, Ph.D. , Founder and CEO, AnChain.AI

DarkSide Ransomware Bitcoin Flow Timeline

The timeline below shows how the DarkSide hacker group launched the Colonial ransomware campaign with a wallet cluster of around 30 bitcoin addresses that were active for 70 days, from March 4 to May 13. Darkside received over 300 Bitcoins, worth over $16 million, in ransom payments from Colonial, Brenntag, and various unnamed victims.

Figure 1: Timeline for DarkSide ransomware bitcoin flow.
Figure 2: DarkSide bitcoin Coinjoin mixing paths since May 1, 2021.

How to defend against DarkSide ransomware?

Depending on the roles, we are suggesting these countermeasures:

1. Enterprises and Individuals:

AntiVirus software is still the most effective way to defend DarkSide ransomware. 60 out of 69 AV endpoint vendors, per VirusTotal (a Google company), including FireEye, Symantec, McAfee, and Microsoft can detect Darkside malware. However, Baidu, Tencent, Qihoo 360 (China-based), and Yandex (Russia-based) still missed detection as of writing. AnChain.AI urges all cybersecurity vendors to update DarkSide in their malware detection engines.

2. Cryptocurrency industry, VASP:

Take a clear stance on fighting crypto Money Laundering. As identified by AnChain.AI, the DarkSide hacker group has been laundering the bitcoins received from the Colonial ransomware campaign. Make sure the onchain AML screen engine is preventive and comprehensive, so as to fully comply with the requirements of your jurisdiction, such as OFAC, FinCEN, SEC, and OCC in the United States; MAS in Singapore; and 5AMLS in the EU.

3. Governments & Regulators:

Most jurisdictions have been implementing their cryptocurrency AML regulations.

Blockchain data analytics firm providing security, risk, and compliance solutions.