Home / Archive / WannaCry Extortionists’ Ill-Gotten Bitcoins Are on the Move

WannaCry Extortionists’ Ill-Gotten Bitcoins Are on the Move

Last Updated March 4, 2021 4:58 PM
Francisco Memoria
Last Updated March 4, 2021 4:58 PM

Back in May, a global bitcoin extorting ransomware campaign was launched using the WannaCry ransomware strain. The attack managed to infect thousands of computers all over the world, including those belonging to 48 hospitals in the U.K. It was able to exploit a Windows vulnerability that had been leaked in April, and used a hacking tool believed to be stolen from the National Security Agency (NSA).

The attack, which forced victims to pay $300 in bitcoin to restore their files, was stopped by a UK-based cyber security researcher who discovered an unregistered domain name and purchased it for $10.69. The domain turned out to be a kill switch.

Despite its massive reach, the extortionists behind WannaCry only managed to net $140,000 in ransom payments – a very small amount, taking into account ransomware extortionists made a total of over $25 million in the last two years.

The payments were spread across three different bitcoin addresses, and since the attack the $140,000 sat untouched, until now.

The money has now been moved from all three addresses, presumably to go through a bitcoin mixing service so the extortionists can cash out.

The transfers were first detected by Twitter bot @actual_ransom, which was set up to monitor WannaCry’s bitcoin addresses. Most didn’t expect the money to move at all, since it was only in three different bitcoin addresses, making it easy to track. All three addresses are now empty.

Here’s the first transaction:


Melanie Shapiro, CEO at identity security firm Token, pointed out that if the money does go through a bitcoin mixing service, it’s only going to get harder to trace it.

We can watch all of this bitcoin be moved around, but inevitably every move makes it harder to trace back to an individual.

Experts at Quartz  created an animation of what happens to extorted bitcoins after they’re put through a bitcoin mixing service. The animation, which uses bitcoins earned by NotPetya extortionists as an example, makes it easy to see why tracking these bitcoins can then be extremely difficult, or downright impossible.


CNN contacted  the U.S. Department of Justice (DOJ) and Europol for comments, but got no response from either organization. Europol stated that the investigation into WannaCry was ongoing, while the DOJ didn’t respond to the request outside regular office hours.

Featured image from Shutterstock.