Thomas Brewster, 05 June 2021
In just two months last year, the FBI watched three companies pay hackers wielding ransomware called NetWalker millions in Bitcoin to get their hacked data back. While that seems like a big win for the cybercriminals, it also gave investigators in the U.S. and elsewhere a new roadmap for tracking and prosecuting them.
Netwalker was a ransomware-as-a-service crew, similar to DarkSide and REvil, whose tools were used in the attacks on Colonial Pipeline and JBS, which led to gas and food shortages across America in the last month. The creators of NetWalker rented it out to other cybercriminals, who would find a way to break into a company and then deploy Netwalker to lock up the victims’ files. Only the key the Netwalker crew controlled could unlock that data. Since it emerged in 2019, its myriad victims included universities, healthcare bodies and government departments, making close to $50 million in that time.
In a previously-unreported court document obtained by Forbes, the FBI detailed how it tracked the cryptocurrency flowing from the three 2020 victims to the hackers, right down to naming an individual potentially linked to the criminal organization. It revealed the highest payment hit 303 bitcoin, worth $2.8 million at the time, but now over $11 million. For each victim, investigators saw a pattern: 30 minutes after the ransom was paid, the Bitcoins were split between four Bitcoin addresses (think of these simply as online addresses from which cryptocurrency can be sent and received, all of them locatable on the blockchain ledger). Those addresses included a single wallet and cluster of addresses believed to be owned by the same person that investigators referred to as a “merge.” As a way of complicating the money trail (i.e. money laundering), the funds were then rapidly transferred to a number of other merges. One of those merges, what the FBI named “Merge G,” was seen depositing funds into an account at cryptocurrency exchange Binance. That Binance account was linked to a real person, a 20-year-old female and Ukranian national. (As no charges have been filed against the Ukrainian in the U.S., and the Ukraine police hadn’t responded to a request for comment, Forbes is not naming the individual). She was seen converting $430,000 in Bitcoin into another cryptocurrency, Tether, in which each coin is worth just $1. In July 2020, the FBI seized $455,000 from the account.