Over the past nine months, hackers attributed to the DarkSide ransomware gang have pocketed $90 million in Bitcoin payments. They used a business model known as “ransomware as a service,” in which they developed and sold ransomware tools to other criminals who then infiltrated their targets and negotiated ransom payments.

This new business model has opened up the ransomware threat to a whole new class of criminals, according to blockchain analytics firm Elliptic. These so-called “affiliates” have neither the technical expertise nor the ability to create malware, but they are willing and able to infiltrate their victims and negotiate ransom payments on their behalf.

During these hacks, they typically demand cryptocurrency as a ransom payment in order to restore access to the victim’s computer systems. It allows them to operate with high levels of anonymity, without needing to rely on a bank account or other legal channels.

In addition, cryptocurrencies are easy to convert back into fiat money, making them attractive options for criminals. In particular, crypto exchanges can easily accept them and convert the funds into regular currency.

These funds then flow into wallets of cybercriminals. These wallets are constituted of clusters of addresses, whose keys are managed by specific software. Blockchain analytics firms use rules of thumb to identify these clusters and associate them with certain entities, such as cybercriminals.

The DarkSide ransomware gang was responsible for a May attack against Colonial Pipeline, which supplies fuel to the eastern United States and parts of Canada. The attack disrupted services for the company, leading to a spike in gas prices and panic buying.

After paying a ransom, Colonial paid 75 Bitcoins to DarkSide, which Elliptic determined was about $5 million at the time. This money has now been seized by the US Department of Justice and FBI.

As part of its analysis, Elliptic examined the blockchain to see how these funds were transferred. It found that the bulk of these funds — 69.6 BTC — ended up in the hands of an affiliate associated with the ransomware gang.

It then tracked this transaction back through several intermediate addresses to the initial ransom payment address, identified by the FBI. The analysis shows that 107 of these Bitcoins are currently being moved to multiple new wallets, with a smaller amount being transferred each time.

This process makes it much more difficult to track the funds. The new wallets are also using a mixing technique called Coinjoin, which is used to mix the funds between the original wallets and the newly created ones.

These new wallets are a good example of how law enforcement authorities are using the blockchain to track money. It helps to ensure that the right people are held accountable and to prevent money laundering.

Using this method, the government can identify where a ransomware hacker’s money is coming from and who is behind it. This can then help the government to prevent such attacks in the future. It can also protect financial institutions and crypto exchanges from becoming targets of cybercriminals, which are a growing threat to the financial system.