WannaCry hackers withdraw £100,000 in bitcoin ransom funds

Probable hackers have withdrawn more than £100,000 worth of bitcoin from digital wallets associated with payments made by desperate users during the WannaCry ransomware attack earlier this year.

The cyber attack struck the NHS in May, as well as hundreds of other businesses worldwide, causing days of disruption by locking users out of their files and demanding bitcoin payments in order to release them.

The new bitcoin activity was spotted by a Twitter bot - created by Quartz journalist Keith Collins - to track activity around the digital wallets linked to WannaCry.

The bot recorded a series of withdrawals from the wallets on Thursday and bitcoin monitoring sites now show all of the wallets known to be linked to the attack as empty.

Every bitcoin transaction is publicly visible, but account holders themselves are anonymous.

The withdrawals come just days after a fork in bitcoin’s blockchain which has resulted in the creation of a new currency known as ‘bitcoin cash’.

All global users that held bitcoin funds prior to the split, including these hackers, now own an equal amount of bitcoin cash. At the time of writing bitcoin cash was only worth around £300 each compared to over £2,000 for traditional bitcoin. Nevertheless these extra coins represent an immediate and sizable increase in the total value of the ransom money acquired.

No one has officially claimed responsibility for the WannaCry attack, but some experts have linked it to Lazarus, the group also linked with the Sony Pictures hack in 2014.

At the time of the WannaCry attack, victims were asked to pay around £230 in the virtual currency in order to regain control of their systems.

However, cyber security experts advised victims not to pay, as it could encourage other cyber criminals and would not guarantee access was restored.

Some experts have suggested the hackers will now use a ‘mixer’, where the bitcoin is broken up and scattered through a wider series of payments, in order to make it harder to trace.

Ilia Kolochenko, chief executive of cyber security firm High-Tech Bridge said: “Professional cyber criminals have well-established contacts with organised crime, financial institutions and even law enforcement agencies.

“It’s a not a big problem to find a virtually untraceable way for bitcoin laundering. A lot of amateur cyber criminals were traced by various mistakes when they were trying to ‘cash out’, but professionals have different ways to stay in the shadows.”

The Florida-based operator of an illegal bitcoin exchange suspected of laundering money for hackers and linked to a data breach at JPMorgan was given a five-and-a-half-year prison sentence last month after pleading guilty to three counts of conspiracy including bank fraud and operating an unlicensed money transmitting business. 

Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.

Recent articles