The WannaCry Ransomware Attackers Are Cashing Out Their Bitcoin at a Dangerous Time

By Dell Cameron on at

When the WannaCry ransomware attack hit back in May, it was really good at causing chaos but not so great at generating ransom money. Some analysts said that the attackers were amateurish in their methods. If the people behind the malware are as clumsy as they seem, they should be worried, because they recently started moving what Bitcoin they did collect during a particularly perilous time for cybercriminals.

Three Bitcoin wallets were previously identified as repositories for ransom payments being delivered to the attackers. Quartz set up a tracker to follow the wallets and future transactions. On Wednesday night around 11pm, funds began to be transferred out of them. At the moment, all three wallets are empty. At the current Bitcoin exchange rate, the apparent grand total of WannaCry’s haul comes out to around $143,000 ( £108,809).

Despite its reputation for anonymity, however, Bitcoin transactions are available for anyone to see on the public ledger. There are many methods criminals use to launder Bitcoin and eventually convert it into a more useful fiat currency. Bitcoin mixers are one of the most popular techniques.

The basic idea of a mixer is that a company has a large pool of their own Bitcoins that they are ready to trade. Anyone looking to further anonymise their Bitcoin can send it to the mixer and then receive an unconnected Bitcoin in return. But there are new worries about the viability of mixers.

Bitmixer, the most popular mixing service, recently announced that it was shutting down. While the public statement claimed that the founder had a change of heart about how anonymous Bitcoin should be, many people had suspicions that law enforcement was putting pressure on the company. The anonymous founder claimed that Bitcoin was always intended to be open and public, saying that “despite the huge profit we earn,” they felt that “bitcoin will have a great future without dark market transactions.” But the founder also encouraged other mixers to get out of the game and warned that “very soon this kind of activity will be considered as illegal in most of countries [sic].”

This summer has been a particularly rough time for people involved in cybercrime. In the last few weeks, two of the biggest darkweb markets, Hansa and AlphaBay, were taken down by authorities. And last month a 38-year-old Russian man named Alexander Vinnik was arrested by Greek authorities for allegedly running the BTC-e Bitcoin exchange that’s accused of being a money laundering operation. It’s still unclear if users of BTC-e will get their funds back.

On July 17th, Google and security research firm Chainalysis presented a large scale analysis of ransomware payments at the Blackhat conference in Mandalay Bay. Taking a look at the 11 biggest pieces of ransomware, they concluded that 95 per cent of payments were cashed out through the BTC-e exchange. The exchange is accused of laundering $4 billion ( £3.04 billion) worth of cryptocurrency. Its loss and Bitmixer’s shutdown means criminals will have to look elsewhere.

Chainalysis co-founder Jonathan Levin told Gizmodo over the phone that he’s been keeping up with WannaCry’s funds and that they are being converted into another cryptocurrency called Monero which he says is, “much more anonymous.” He said that about $100,000 ( £76,000) is still sitting in Bitcoin. Monero automatically mixes coins and has a different source code from Bitcoin. Levin says that despite some reports claiming that transactions can be tracked through mixers, that’s not necessarily the case. “There are claims that transactions can be traced through Bitcoin mixers but we don’t have evidence that it’s true, at this point,” he said.

According to Chainalysis and Neutrino’s research, the WannaCry hackers are using a service called ShapeShift to launder their Bitcoins. Founded by the American Bitcoin advocate Erik Voorhees, ShapeShift allows a user to provide an email address and anonymously convert one cryptocurrency into another. In this case, Bitcoin become Monero. “Monero is totally anonymous so far,” Neutrino CEO Giancarlo Russo told Forbes. “It will not be possible to follow further movements.”

With so much recent action by law enforcement in the cybercrime world, it seems like a bad time to try to get a small amount of cash from a high-profile international crime. But the recent split of Bitcoin might be adding some financial incentive for the hackers to act now. Then again, some experts believe that WannaCry was the work of the North Korean government, in which case, the hackers can probably just say YOLO. [Quartz, ZDNet]


More Security Posts: