An unknown ransomware group is on some sort of a public relations offensive, donating thousands of dollars in stolen Bitcoins to various charitable causes. While it’s unclear what the true motives of the hackers are, the fact that the money was obtained illegally will likely render the move nothing more than an empty and self-serving gesture.
Self-styled “Robin Hood” hackers make donations to developing countries
The donations, which amount to at least $20,000 of stolen Bitcoins in total, were made by a group of hackers that call themselves “Darkside.” Darkside made news back in August for posting a startup-like launch announcement on the dark web, offering the ransomware-for-hire service with the trappings of legitimate businesses such as customer service contacts, technical support and a series of press releases. The group has only been active since late August, but is already credited with racking up over $1 million in paid ransoms. In addition to its apparent focus on customer service and PR, the group has pledged to only attack targets that are large enough to afford ransomware payments in the range of $200,000 to $2 million.
The hackers posted receipts for two separate donations of 0.88 of their stolen Bitcoins (about $10,000 each) on a dark web forum, apparently giving generously of the pilfered funds to two US-based charities: Children International and The Water Fund. Children International has already issued a statement indicating that it does not intend to keep the money, and presumably The Water Fund will follow. Any charity foolish enough to keep donations that can be traced back to ransomware could fall afoul of a variety of federal laws.
The hacking group, which is thought to be based somewhere in the Commonwealth of Independent States due to a seeming avoidance of any targets in the territory, released this statement about the donations: “”We think that it’s fair that some of the money the companies have paid will go to charity. No matter how bad you think our work is, we are pleased to know that we helped changed someone’s life. Today we sended (sic) the first donations.”
Some security experts, such as Brett Callow of Emsisoft, say that this is the first time they have seen a group of outlaw hackers openly donate the proceeds of their crimes to charity. The donation was made through The Giving Block, a platform that facilitates cryptocurrency donations for non-profit organizations. The Giving Block issued a “whale alert” via Twitter celebrating the donations when they were made, apparently not aware at the time that hackers were involved. The platform has issued a statement indicating that it is working to determine if the donated funds were obtained illegally, and if so how to return them. It is unclear if that means that the Giving Block will simply reverse the donation back to Darkside, or if they will attempt to get authorities involved to return the stolen Bitcoins to the parties they were initially taken from.
Stolen Bitcoins don’t equate to ethical hacking
There is a long tradition of “ethical hacking” that dates back almost four decades, in which crimes are committed in what is at least ostensibly the name of the greater public good. Darkside’s actions do not resemble this dynamic at all. Not only does Darkside appear to not discriminate in the organizations that it targets with ransomware, it was also among the first wave of groups to begin exfiltrating data from victims and threatening to publicly post it if the ransom is not paid.
Even if one does not quibble with the nature of the business of Darkside’s victims, the group’s data dumps (spanning hundreds of gigabytes of data) can include the sensitive personal information of employees and customers. The impact can also lead to layoffs or even business shutdowns. As Javvad Malik, Security Awareness Advocate for KnowBe4, points out: “Whenever an organization is extorted via ransomware or other means, that money impacts actual individuals. Many people have lost their jobs over the years, there have been organizations that have ceased to exist, and there has even been some talk recently of the role ransomware had to play in the unfortunate death of a patient transported to a different hospital.”
The group’s offer of stolen Bitcoins to charity is among the first since this type of digital currency became common, but it is not unprecedented. In 2016 a hacker going by the handle of “Phineas Fisher” made a 25 Bitcoin donation (worth about $11,000 at the time) to a Kurdish militia in Syria that was waging war against ISIS. Given that same amount is worth about $374,000 today (and would have been worth nearly $500,000 at Bitcoin’s peak in late 2017), one wonders if the hacker would have been as altruistic under more current circumstances.
Cybersecurity experts unsurprisingly take a cynical view of Darkside’s attempts to donate the stolen Bitcoins. Katie Nickels, director of intelligence at Red Canary, said: “This latest “donation” effort by ransomware operators is just an attempt to improve their image publicly. When the pandemic first started, we saw ransomware operators claim that they wouldn’t target hospitals – yet we know many of them have. If ransomware operators truly cared about making the world a better place, they would stop ransoming victims, not make donations.”
A clumsy attempt at PR is one possibility for donating stolen crypto, but there are others that are even more nefarious. The hackers might also be testing various charities to see if they make for usable money laundering outlets for their stolen Bitcoins, or may believe that the pretense of having some sort of ethical code will lead to higher rates of payment in future ransomware attacks. Hackers might also work a “long con” in which they develop a reputation for charity donations, only to begin donating to fake charities that they control in the hopes that the publicity will lead others to make donations to those charities as well.