Share this article
NetWalker Ransomware Gang Is Storing $7M in Bitcoin in SegWit Cold Storage
The organization that’s encrypting computers and extorting companies has taken to SegWit addresses, according to McAfee and CipherTrace.
By Danny Nelson
Updated Sep 14, 2021, 9:39 a.m. Published Aug 3, 2020, 8:53 p.m.
NetWalker ransomware, which last week triggered cybersecurity flash warnings from the Federal Bureau of Investigation (FBI), has extorted $25 million in bitcoin from its victims during the months of the pandemic, according to a report by McAfee and CipherTrace.
STORY CONTINUES BELOW
Don't miss another story.Subscribe to the Crypto Daybook Americas Newsletter today. See all newsletters
- NetWalker is a “ransomware-as-a-service” that gains its access through COVID-19 phishing emails, encrypts infected systems and steals internal documents. Ransomware operators then threaten to publish victims’ documents if they fail to pay up.
- Victims, most of whom are large organizations such as companies and governments, appear to been obliging the hackers throughout the pandemic. McAfee and CipherTrace traced 2,795 bitcoin ($25 million) to NetWalker wallet addresses from March 1 through July 27.
- NetWalker’s developers refined their handling of bitcoin payments months before the pandemic began by swapping in SegWit addresses in place of legacy wallets, the report said.
- “This transition into SegWit could indicate that they are utilizing a new hardware wallet to store their BTC or just an indication of a desire for cheaper transactions,” said Pamela Clegg, director of financial investigations at CipherTrace.
- Clegg told CoinDesk that “large amounts of bitcoin” – up to 640 – appear to be sitting in cold storage. She said smaller amounts have been deposited at Russian crypto exchange CointoCard.org.
- The cybersecurity report follows last week’s warning from the FBI that NetWalker has been successfully exploiting COVID-19 in recent months. The FBI warns targeted institutions against paying hackers’ bitcoin ransom payments.
See also: Travel Management Firm CWT Pays Out $4.5M in Bitcoin After Ransomware Attack
More For You
What to know:
- As of October 2025, GoPlus has generated $4.7M in total revenue across its product lines. The GoPlus App is the primary revenue driver, contributing $2.5M (approx. 53%), followed by the SafeToken Protocol at $1.7M.
- GoPlus Intelligence's Token Security API averaged 717 million monthly calls year-to-date in 2025 , with a peak of nearly 1 billion calls in February 2025. Total blockchain-level requests, including transaction simulations, averaged an additional 350 million per month.
- Since its January 2025 launch , the $GPS token has registered over $5B in total spot volume and $10B in derivatives volume in 2025. Monthly spot volume peaked in March 2025 at over $1.1B , while derivatives volume peaked the same month at over $4B.
More For You
Dogecoin Holds $0.14 Floor as Network Activity Hits 3-Month High
Rising active addresses and tightening volatility indicate an impending directional move, with $0.16 as a critical breakout threshold.
What to know:
- Dogecoin marked its 12th anniversary, but market reactions were muted, focusing instead on technical patterns and network activity.
- The token consolidated within a tight range, with active buying interest at the lower boundary and potential for a bullish breakout.
- Rising active addresses and tightening volatility indicate an impending directional move, with $0.16 as a critical breakout threshold.
Top Stories
