Finance
Share this article

Almost $7M in Bitcoin Held by Colonial Pipeline Attacker Is on the Move

Elliptic has linked the activity to ransomware group REvil, with which DarkSide has close ties, being hacked and forced offline by a U.S. government-led operation.

By Jamie Crawley
Updated May 11, 2023, 7:06 p.m. Published Oct 22, 2021, 12:15 p.m.
(Shutterstock)

Bitcoin now worth nearly $7 million held by the DarkSide ransomware group involved in the Colonial Pipeline attack in May is on the move, according to blockchain analytics firm Elliptic.

  • Following the attack, which threatened the petroleum supplies of five eastern states in the U.S., DarkSide’s share of the amount paid in ransom remained dormant until Oct. 21, Elliptic said Friday in a blog.
  • The developer of “ransomware as a service,” DarkSide, maintained a wallet to hold its share of the funds, which included 11.3 BTC. That was identified by Elliptic using its intelligence collection and analysis of blockchain transactions.
  • DarkSide subsequently said the wallet had been claimed by an unknown third party, sending 107.8 BTC ($6.8 million) to a new address.
  • These bitcoin have now been sent through a series of new wallets over a period of several hours, with small amounts being ejected at each step – a common money laundering technique to make funds harder to track.
  • Elliptic has linked this activity to ransomware group REvil, with which DarkSide has close ties, being hacked and forced offline by a U.S. government-led operation.

Read more: Blockchain Analytics Firm Elliptic Raises $60M to Fund R&D, Expansion

STORY CONTINUES BELOW
Don't miss another story.Subscribe to the Crypto Daybook Americas Newsletter today. See all newsletters
By signing up, you will receive emails about CoinDesk products and you agree to our terms of use and privacy policy.
EllipticColonial PipelineRansomware Attack

More For You

Protocol Research: GoPlus Security

By CoinDesk Research
Nov 14, 2025
Commissioned byGoPlus
GP Basic Image

What to know:

  • As of October 2025, GoPlus has generated $4.7M in total revenue across its product lines. The GoPlus App is the primary revenue driver, contributing $2.5M (approx. 53%), followed by the SafeToken Protocol at $1.7M.
  • GoPlus Intelligence's Token Security API averaged 717 million monthly calls year-to-date in 2025 , with a peak of nearly 1 billion calls in February 2025. Total blockchain-level requests, including transaction simulations, averaged an additional 350 million per month.
  • Since its January 2025 launch , the $GPS token has registered over $5B in total spot volume and $10B in derivatives volume in 2025. Monthly spot volume peaked in March 2025 at over $1.1B , while derivatives volume peaked the same month at over $4B.
View Full Report

More For You

Michael Saylor's Strategy Hangs on to Spot in Nasdaq 100 Index

By Francisco Rodrigues, AI Boost|Edited by Cheyenne Ligon
12 hours ago
Executive Chairman of Strategy Michael Saylor

The annual Nasdaq 100 rebalance saw six companies dropped and three new additions, with changes taking effect on December 22, but bitcoin treasury company Strategy hung onto its spot.

What to know:

  • Strategy (MSTR) will remain in the Nasdaq 100 index despite a major reshuffle, which saw several household names dropped.
  • The firm's business model, which involves stockpiling bitcoin, has drawn criticism from analysts and index providers, with MSCI considering excluding crypto treasury companies from its benchmarks.
  • The Nasdaq 100 rebalance saw six companies dropped and three new additions, with changes taking effect on December 22, but Strategy's bitcoin-heavy strategy secured its spot.
Read full story