Back in May, the WannaCry ransomware hit businesses, hospitals, and even national infrastructure across the globe. Ransomware like WannaCry encrypts your files and holds them hostage, demanding payment in Bitcoin before the encrypted files will be released.
The authors of WannaCry have been slowly collecting money from victims for months, and thanks to the magic of Bitcoin, we can tell that they’ve started to cash out.
After the initial wave of infections in May, researchers identified three Bitcoin accounts (called wallets) associated with the hackers. Thanks to the public leger design of Bitcoin, you can see how much Bitcoin is sitting in any wallet at any one time. Back in May, the Bitcoin collected was worth around $70,000. Thanks to a slow trickle of ongoing payments and fluctuations in Bitcoin itself, the value of Bitcoin in the wallets grew to $140,000.
Quartz reported today that the WannaCry authors have finally cashed out. Late last night Eastern time, seven withdrawls were made from three Bitcoin wallets linked to the attack, cleaning them out entirely. The movement was spotted by a Twitter bot that was set up to monitor the Bitcoin addresses by Quartz.
— actual ransom (@actual_ransom) August 3, 2017
Since the attack, security researchers have hypothesized that a nation-state — possibly North Korea — was behind the attack, rather than profit-seeking hackers. Given that, and all the attention attached to those Bitcoin wallets, it was expected that the hackers would never cash out.
The movement of the money doesn’t confirm one way or another that WannaCry was designed for profit, rather than political gain, but the fact that the authors were willing to risk creating a new trail just to access $140,000 will be interesting to security researchers.