Saturday, August 5, 2017

Remaining WannaCry Bitcoin Money Is on the Move

TheMerkle Bitcoin WannaCry Mixing

We have another interesting development regarding the WannaCry ransomware strain on our hands. Just last month, some of the Bitcoin funds that this malware strain had stolen were moved from its original address. It now appears the remaining funds have been moved to a different address as well. Considering how BTC-e cannot launder the proceeds and BitMixer is gone, the question now becomes where these funds will end up.

WannaCry Bitcoin Funds Are Moving Again

It is somewhat easy to analyze the Bitcoin blockchain and flag suspicious wallets. That is exactly what happened with the WannaCry ransomware distribution wallets, which were easily sniffed out by security researchers. Ever since that time, people have been keeping a close eye on the balances of those accounts to see if the funds would be moved over time. It appears that this is the case, and that funds were moved on two separate occasions.

The first batch of funds was moved in July of this year. Although no one knows for sure where the money ended up, it is certainly possible that at least part of it wound up at the BTC-e exchange. Considering that the platform is responsible for laundering 95% of all global ransomware proceeds, no one would be surprised to learn that some money had been converted to fiat currency through the company. The remainder of the funds, which added up to over US$140,000, has now been moved to an external address as well.

Laundering the WannaCry proceeds will be a lot more difficult than it had been before, as it is impossible to send money to the BTC-e exchange since the domain was seized by U.S. law enforcement officials last week. It remains unclear if the platform will ever be operational again, but it seems highly unlikely that it will be. Secondly, the criminals cannot use BitMixer anymore, as the largest Bitcoin mixing service shut its doors not too long ago. Mixers are a great way to remove taint from a Bitcoin balance and eliminate any trace of where it came from or where it ended up.

Spending the money on darknet markets will not be a walk in the park either. Both Hansa and AlphaBay were taken offline in quick succession. There are legitimate reasons to believe that law enforcement officials will target Dream Market next, as they have been cracking down on all illegal online activity. Making US$140,000 worth of Bitcoin disappear and turning it into clean money will be pretty challenging, if not outright impossible at this point.

There are other mixing service providers, however, which could help out in this regard. We discussed a few of those service providers a while ago and most of them are still operational to this very day. Another option would be to just sell the coins through LocalBitcoins, although that might attract even more attention from law enforcement officials. Agencies have been keeping a close eye on LocalBitcoins as well as anyone selling large amounts of cryptocurrency.

It is interesting to see this money being withdrawn right now. The motive behind this idea remains a big mystery, and there is seemingly no reason to move funds now rather than a few days or weeks ago. It remains uncertain if the money will be cashed out or just moved to more secure solutions. Bitcoin is very valuable right now and sitting on a lot of money can make even the toughest criminal a bit antsy.

from The Merkle