In brief

  • Ransomware group DarkSide reportedly received more than $90 million worth of Bitcoin as ransom payments.
  • DarkSide’s software was used in this month’s Colonial Pipeline attack, although the group claims to have shuttered since.

Ransomware has been a hot topic in the news again lately following the attack of American gasoline pipeline firm Colonial Pipeline, which had its network shuttered by hackers. The firm reportedly paid DarkSide, described by the US government as a “ransomware-as-a-service” (RaaS) hacking group, nearly $5 million in cryptocurrency to unlock its network.

That may have been a drop in the bucket in DarkSide’s ransomware haul to date, however. Blockchain analytics firm Elliptic issued a report today that claims that DarkSide-affiliated Bitcoin wallets have received more than $90 million worth of total ransom payments to date.

Following a report from DarkTracer that claims that 99 organizations have been infected with DarkSide’s ransomware, Elliptic found that 47 payments—each from a distinct wallet—had been made to DarkSide’s Bitcoin wallets. In total, just over $90 million worth of Bitcoin was paid in, and the firm suggests that “further transactions may yet be uncovered, and the figures here should be considered a lower bound.”


DarkSide’s RaaS model sees the group provide the software for ransomware attacks to so-called “affiliates,” who target high-value companies and attempt to infect and lock down their computer networks and/or steal sensitive data. If a ransom payment is successfully negotiated and secured by the affiliate, then that amount is split between the partners.

According to security firm FireEye, DarkSide would take 25% of a ransomware payment under $5 million, or 10% for sums higher than that. Based on blockchain analysis, Elliptic reports that DarkSide kept about $15.5 million worth of the Bitcoin paid to it and disbursed some $74.7 million worth of Bitcoin to affiliate groups.

In the case of the Colonial Pipeline attack, the firm’s network led to fuel shortages across the Southeast United States. Bloomberg reported last week that Colonial Pipeline made a payment of “nearly $5 million” in “untraceable cryptocurrency” within hours of the attack, although it did not identify the coin. The New York Times later confirmed that the payment was made in Bitcoin.

Elliptic was the first to identify DarkSide’s Bitcoin wallet, and said that it received 75 BTC from Colonial Pipeline on May 8. On that date, according to historical data from Nomics, 75 BTC would have been worth approximately $4.43 million. A similar-sized payment of 78.29 BTC was sent to a DarkSide-affiliated wallet on May 11 by German chemical distributor Brenntag.

DarkSide, which is believed to be based on Eastern Europe or Russia, has reportedly shut down and emptied its Bitcoin wallets in the wake of the high-profile Colonial Pipeline attack, which drew a response from President Biden and the US government. A member of the group claimed to have lost access to many of its servers, and an email sent to DarkSide’s affiliates noted that it was shutting down “due to the pressure of the US.”


Cryptocurrency is often used for ransomware attacks due to the difficulty in tracing the money back to the criminals, although some coins—such as privacy-centric coin Monero—are even more challenging to trace than others. Blockchain data firm Chainalysis reported last week that more than $81 million worth of cryptocurrency has been paid out as ransom so far in 2021, with more than $406 million in known payments across 2020.

Daily Debrief Newsletter

Start every day with the top news stories right now, plus original features, a podcast, videos and more.