WannaCry Attackers Empty Their Bitcoin Wallets With Roughly $145,000 Inside

The people behind the WannaCry ransomware campaign, which affected hundreds of thousands of devices around the world in May, have finally emptied the Bitcoin wallets to which their victims directed payments. Combined, the wallets contained roughly $145,000 worth of Bitcoin.

WannaCry is perhaps the most famous ransomware campaign to date. (Its potential successor, the Petya / NotPetya attack from June, appeared to have been more focused on destroying data than holding it for ransom.) It exploited a vulnerability in Windows called EternalBlue that, according to Microsoft, was discovered and hoarded by the NSA. It eventually leaked, and WannaCry's coordinators used it to compromise at least 300,000 PCs.

Yet the campaign had a flaw: the attackers only used a handful of Bitcoin wallets to receive their ransoms. It didn't take long for Quartz reporter Keith Collins to set up a bot to monitor the wallets' activity, and if a journalist was keeping an eye on them, chances were good that law enforcement agencies were as well. Few thought the WannaCry attackers would empty the wallets knowing the world would be watching them.

Apparently those people were wrong. Collins' bot reported last night that all three wallets associated with the WannaCry campaign were emptied. The wallets contained 52.19666422 BTC--at current exchange rates, that adds up to just over $145,000. That's a lot of money to leave unclaimed no matter who's watching, and hubbub over the recent split between Bitcoin and Bitcoin Cash may have led the attackers to throw caution to the wind.

Now whoever carried out the WannaCry attack is likely $145,000 richer than they were earlier this week. (Minus any fees associated with laundering the funds--assuming the attackers didn't just cash out without trying to cover their tracks.) Speculation about the attacker's identity runs rampant, though the NSA has reportedly pointed the finger at North Korea, at least in private. Officially, the campaign's perpetrator(s) remains unidentified.

Microsoft has released a series of updates to all recent versions of Windows, from XP to 10, in an attempt to defend against campaigns like this. Now the question is whether or not people and organizations will install these updates quickly enough to make the company's efforts worthwhile. But if the past is any indicator, we wouldn't hold our breath waiting for everyone to update their devices with these crucial fixes.

This thread is closed for comments
    Your comment
  • derekullo
    So only 483 - 966 people paid the ransom?

    With all the hype I was hearing about it i was expecting at least $1,000,000 in ransoms.
  • Gary_133
    A better question would be if all these entities were watching the bitcoin account then didn't anyone know where it went?

    Even if a proxy or proxies were used to claim the money, it would still make it somewhat tracable, so what happened?
  • Kennyy Evony
    NSA has the cash in their back pockets. This is why they were sitting on the exploit. "I've seen this movie already!"!