Colonial Pipeline hacker Darkside reaped $90M from 47 victims

The average payment made to the ransomware group was about $1.9 million

The Russian ransomware group responsible for the Colonial Pipeline hack, Darkside, reaped just over $90 million in Bitcoin ransom payments from 47 victims before announcing it would cease operations, according to blockchain analytics firm Elliptic.

Colonial Pipeline's shipping communications system is down

According to Elliptic's report, approximately 47% of victims paid a ransom to Darkside, with an average payment of about $1.9 million. The firm added that Darkside was on track for a record month for ransom payments in May before deciding to shut down operations. 

Source: Elliptic

DarkTracer, a criminal intelligence platform, found that a total of 99 organizations have been infected with DarkSide's malware as of Monday. 


Cybersecurity firm Fireye notes that since initially surfacing in August 2020, the creators of Darkside and their affiliates have launched a global crime spree affecting organizations in more than 15 countries and across multiple industries.

Darkside operates as a ransomware-as-a-service (RaaS) where profit is shared between its owners and partners, or affiliates, who provide access to organizations and deploy the ransomware. Affiliates retain a percentage of the ransom fee from each victim. 

Based on forum advertisements, RaaS operators take 25% for ransom fees less than $500,000. The cut decreases to 10% for ransom fees greater than $5 million.

Source: Elliptic

Elliptic's report reveals that the Darkside's developers have taken in a total of $15.5 billion in Bitcoin ransom payments, a 17.2% cut, while affiliates took an 87.2% cut of $74.7 million. 

"To our knowledge, this analysis includes all payments made to DarkSide, however further transactions may yet be uncovered, and the figures here should be considered a lower bound," Tom Robinson Elliptic’s co-founder and chief scientist said.

The majority of the funds are being sent to crypto exchanges, where they can be swapped for other crypto assets or be converted into fiat money, Elliptic added.


The Colonial Pipeline's 5,500-mile system transports more than 100 million gallons of gasoline, diesel, jet fuel and heating oil per day, or roughly 45% of the fuel consumed on the Eastern Seaboard between the Gulf Coast and the New York metro area. 

Colonial Pipeline Company connects refineries with customers and markets throughout the Southern and Eastern United States through a pipeline system that spans more than 5,500 miles between Houston, Texas and Linden, New Jersey.

Colonial restarted the pipeline on May 12 and said on Saturday that service has since been fully restored. According to reports, Colonial paid a nearly $5 million ransom to Darkside to get back online. A Colonial spokesperson did not immediately return FOX Business' request for comment.

On Tuesday, the company said its internal server that runs its nomination system experienced "intermittent disruptions" due to some of the ongoing hardening efforts as part of its restoration process.

"These issues were not related to the ransomware or any type of reinfection," Colonial emphasized. "We are working diligently to bring our nomination system back online and will continue to keep our shippers updated. The Colonial Pipeline system continues to deliver refined products as nominated by our shippers."

The Colonial Pipeline hack has caused consumers to panic buying gasoline. This has led to station outages across the East Coast and a national gas price average above $3 per gallon, the most expensive level since 2014. 

The latest outage data as of 1 p.m. Tuesday from GasBuddy senior petroleum analyst Patrick De Haan shows a total of 10,418 stations remain without gas. The areas that remain the hardest hit with gasoline outages include Washington, D.C., The Carolinas, Georgia and Virginia. 

According to the American Automobile Association, the national average gas price on Tuesday stands at $3.04 per gallon.