May 14, 2021

The DarkSide ransomware affiliate program responsible for the six-day outage at Colonial Pipeline this week that led to fuel shortages and price spikes across the country is running for the hills. The crime gang announced it was closing up shop after its servers were seized and someone drained the cryptocurrency from an account the group uses to pay affiliates.

“Servers were seized (country not named), money of advertisers and founders was transferred to an unknown account,” reads a message from a cybercrime forum reposted to the Russian OSINT Telegram channel.

“A few hours ago, we lost access to the public part of our infrastructure,” the message continues, explaining the outage affected its victim shaming blog where stolen data is published from victims who refuse to pay a ransom.

“Hosting support, apart from information ‘at the request of law enforcement agencies,’ does not provide any other information,” the DarkSide admin says. “Also, a few hours after the withdrawal, funds from the payment server (ours and clients’) were withdrawn to an unknown address.”

DarkSide organizers also said they were releasing decryption tools for all of the companies that have been ransomed but which haven’t yet paid.

“After that, you will be free to communicate with them wherever you want in any way you want,” the instructions read.

The DarkSide message includes passages apparently penned by a leader of the REvil ransomware-as-a-service platform. This is interesting because security experts have posited that many of DarkSide’s core members are closely tied to the REvil gang.

The REvil representative said its program was introducing new restrictions on the kinds of organizations that affiliates could hold for ransom, and that henceforth it would be forbidden to attack those in the “social sector” (defined as healthcare and educational institutions) and organizations in the “gov-sector” (state) of any country. Affiliates also will be required to get approval before infecting victims.

The new restrictions came as some Russian cybercrime forums began distancing themselves from ransomware operations altogether. On Thursday, the administrator of the popular Russian forum XSS announced the community would no longer allow discussion threads about ransomware moneymaking programs.

“There’s too much publicity,” the XSS administrator explained. “Ransomware has gathered a critical mass of nonsense, bullshit, hype, and fuss around it. The word ‘ransomware’ has been put on a par with a number of unpleasant phenomena, such as geopolitical tensions, extortion, and government-backed hacks. This word has become dangerous and toxic.”

In a blog post on the DarkSide closure, cyber intelligence firm Intel 471 said it believes all of these actions can be tied directly to the reaction related to the high-profile ransomware attacks covered by the media this week.

“However, a strong caveat should be applied to these developments: it’s likely that these ransomware operators are trying to retreat from the spotlight more than suddenly discovering the error of their ways,” Intel 471 wrote. “A number of the operators will most likely operate in their own closed-knit groups, resurfacing under new names and updated ransomware variants. Additionally, the operators will have to find a new way to ‘wash’ the cryptocurrency they earn from ransoms. Intel 471 has observed that BitMix, a popular cryptocurrency mixing service used by Avaddon, DarkSide and REvil has allegedly ceased operations. Several apparent customers of the service reported they were unable to access BitMix in the last week.”

210 thoughts on “DarkSide Ransomware Gang Quits After Servers, Bitcoin Stash Seized

  1. BitcoinMoney

    Well I see what it was*
    It was organised Mission to buy bitcoins.
    Whales neeed bitcoins to start new pump.
    To pump Up coins Price You need coins.
    I guess whales Will start pump Up bitcoins now.
    Btw its all Global mafia cartels illuminati Secret Services organised sometimes They just put prison Some dumb criminals.
    Banks mafia illuminati Financial Institutions Military its all the Same Thing and its all about just money and Business.
    We all Remember that jstash dark market seller was Police and also the CEO of the Wall street instution…
    It doesnt Take to be genius to Know all of this crap, sometimes some Eastern Europe or African Low life Low educated criminals Will be hired just to Take the blame for the crimes Wich are truly organised by heavy money power by the harvard Yale educated mens.
    So there is no need to Think that the Low educated People so called “poor criminals” Are capable to do anything by their own.
    Many of those Low life Low educated criminals Don’t Know Even that their bosses who they admire so much are the illuminati SS. Members.
    That’s to said life is Dirty Don’t fall in traps Don’t look for Easy money!
    Those who offering to You those things are the demons and Stay Away from them as they are about to ruin your life and they Got no Honour but Only greedy for money.

    1. WhatDidIJustRead

      I’m actually terrified of what an average day for you looks like.

      1. Han

        I am 85% certain that was generated text from an AI

  2. Gary McManus

    How do you drain an account of bitcoin exactly? Wouldn’t you also have to hack the ledger?

    1. BrianKrebs Post author

      You could hack the Exchange where the transaction takes place, you could hack either accounts party to the transaction. You could hack a downstream exchange that holds funds. Or you could have someone somewhere on the inside move the money somewhere else. Those seem to be the most likely scenarios.

      1. Jc

        Could that have been a lie? Thats to say, since I don’t think any government agency has claimed responsibility for recouping the Bitcoin, isn’t it possible those dudes just said that in the hopes that people wouldn’t continue looking for them? And also so they could also just take all the money and not disperse it to their affiliates or whomever they needed to pay off? Is it possible that they just lied about that server being compromised and they just shut it down themselves, and hoped that the world would believe it, so they would be left alone?

        1. androme

          This is exactly what I think. Let US have it’s moment of glory on the international press by claiming that you where hacked by an unknown actor and at the same time take all the money with you. It’s a win/win

  3. Vinny Paranoia

    Is fear really stronger than greed?? I don’t buy this phony farewell. Given the amount of money, the amount of opportunites and the amount of companies that have shown a clear disregard for cybersecurity, I refuse to believe that ransomware is on its deathbed. I think a more plausible explanation is that Darkside felt the heat and decided to back off for a while, but they’ll pick up right where they left off sooner or later, perhaps they’ll rebrand or join forces with other devs. Who knows. One thing’s for sure though, these troublemakers just can’t stay away from the action for too long it’s an addiction they won’t shake off until they’re behind bars.

  4. Jonny

    The recent collapse in the market rate led me to request withdrawal from my broker, only for me to realise this people have been misleading and misinforming me, to me its a sham and getting back my ETH was looking impossible till i hired someone from calgarysec-hack com. i got 90% back, lost some of the profit. So ya’ll need to be careful out here.

  5. NOC

    By shielding your systems from potential threats, you can avoid the fate of many businesses who are exposed to a ransomware attack.

  6. J. Demers

    The DarkSide thieves brought unwelcome light and heat to the Russian regime, and got slapped down for it. They know better than to complain too loudly or ask too many questions, and wisely elected to to quietly disappear into the woodwork for a while. This is the risk you take when operating a criminal enterprise in a nation run by even bigger criminals. The funds are likely in the hands of the Putin government/mafia (a.k.a. “law enforcement” in Russia), thanks in all probability to an inside agent.

  7. Joe

    I’m either missing something fundamental about RAAS, or I’ve simply overlooked the answer. If Darkside is offering their hacking tools to affiliates (aka clients), and affiliates are the ones that are doing the actual hacking, is there another culprit in this that hasn’t been mentioned? Or is this a scenario where Darkside offers the tools/service, but also use the tools themselves on the side, and they were the ones personally that hacked Colonial?

  8. DataSpace Security

    DarkSide, the group behind the Colonial Pipeline outage, says its servers were seized and its funds drained. The message was posted on a Russian cybercrime forum. Organizers say they are releasing decryption tools for companies that have been ransomed but which haven’t paid. Some Russian forums are distancing themselves from ransomware operations. DataSpace Security can provide you the knowledge on cryptography and network security.

  9. androme

    This is exactly what I think. Let US have it’s moment of glory on the international press by claiming that you where hacked by an unknown actor and at the same time take all the money with you. It’s a win/win

    1. r

      This was publicity deal from US. If these hackers are for real, bitcoin would not be involved whatsoever.

  10. Sanni

    I think this was a false flag event. It accomplished:
    Raising gas/ oil prices without blaming inflation
    Casts a huge security FUD shadow over BTC

  11. realspeak


    GOV to fabricate more stories to provide negative publicity on bitcoin, because of failing global trade with the petrodollar.

    stay safe, protect your loved ones.

Comments are closed.