More than $140,000 worth of Bitcoin ransom paid by victims in the recent WannaCry outbreak have evaporated from the three online wallets where it was housed. The criminals, in other words, have slipped into the shadows.
A Twitter bot set up by Quartz journalist Keith Collins to track ransom totals was the first to pick up on the situation.
WannaCry infected 200,000 to 300,000 un-updated Windows computers worldwide in May, with its authors demanding $300 in Bitcoin from victims in return for access to their files. Many were big-name victims, including the National Health Service in the UK, Honda and others, who saw major disruptions to their operations.
An analysis by Forbes found that the perps have now squirreled away their ill-gotten gains using a Swiss cryptocurrency exchange called, appropriately, ShapeShift, to launder the money. ShapeShift morphs virtual funds of one type into another, in this case Monero, which is harder to track than venerable Bitcoin. All it takes is an email from which to send money to ShapeShift, which will anonymously perform a currency conversion and send it back.
"From start to finish, ShapeShift can change currencies in under ten seconds, no account required,” the firm says in its self-description.
And it’s perfectly legal—while its terms and conditions prohibit “illegal use” of the service, in reality ShapeShift can’t logistically keep tabs on its anonymous users’ actions or motives. The company hasn’t provided a statement on the WannaCry situation.
Some are unsurprised by the development.
“Professional cyber-criminals have well-established contacts with organized crime, financial institutions and even law enforcement agencies,” Ilia Kolochenko, CEO of High-Tech Bridge, told Infosecurity by email. “It’s a not a big problem to find a virtually untraceable way for Bitcoin laundering. A lot of amateur cyber-criminals were traced by various mistakes when they were trying to ‘cash out’, but professionals have different ways to stay in the shadows.”