Applications and Use Cases

Blockchain Analytics Firm Finds Bitcoin Wallet Used in Gas Pipeline Ransomware Attack

May 21, 2021

The Bitcoin wallet used by an Eastern European criminal group to attack a Georgia-based pipeline operator has been identified. Blockchain analytics firm Elliptic has found the wallet used to receive payments from Colonial Pipeline in the ransomware attack, which has caused fuel shortages, outages, gas price increases and general chaos.

Colonial is one of the largest fuel pipeline operators in the U.S., providing around 45 percent of fuel to the east coast. The company paid a reported $5 million in cryptocurrency to the DarkSide criminal group in the ransomware attack.

Elliptic, a company that specializes in blockchain analytics, training and certification for crypto businesses, financial institutions and regulators, said DarkSide's Bitcoin wallet received 75 BTC from Colonial on May 8. The criminal group's wallet also received 57 payments from 21 different wallets, including 78.29 BTC from Brenntag, a German chemical distribution company.

“The affiliate’s share (the part of the ransom that goes to the deployer of the malware) of both the Colonial Pipeline and Brenntag ransom payments were sent to the same Bitcoin address, suggesting that the same party was responsible for infecting both of these businesses,” said Tom Robinson, co-founder and chief scientist at Elliptic.

The blockchain analytics firm also discovered an unreported ransom payment of about $320,000 in BTC sent on May 10 from the exchange used by Colonial Pipeline. DarkSide's wallet has been active since March 4, receiving a total of $17.5 million in crypto payments.

Elliptic believes DarkSide moved the majority of the ransom payment out of its wallet on May 9, while the US government managed to seize $5 million in BTC from the wallet. Of the funds moved, 18 percent of the coins went to a small group of exchanges while four percent went to darknet marketplace Hydra, which provides cash-out services.

"By identifying this wallet, Elliptic’s clients, including financial institutions, crypto exchanges and fintechs will now be alerted to any client deposits that originate from the DarkSide wallet," said Robinson. "By using our transaction and wallet screening tools they can ensure that DarkSide and other ransomware operators cannot cash-out or exchange their Bitcoin proceeds, disincentivizing this activity. Elliptic’s law enforcement clients can also use our software to trace these funds and seek to identify those responsible for these crippling cyber attacks."

Edited by Luke Bellos



Social media is impacting the value of your cryptocurrency. This cross-platform audit will show how to improve consumer and influencer sentiment.