Mysterious ‘Robin Hood’ hackers donating stolen money
21 Oct 2020

Darkside hackers claim to have extorted millions of dollars from companies, but say they now want to “make the world a better place”.

In a post on the dark web, the gang posted receipts for $10,000 in Bitcoin donations to two charities.

One of them, Children International, says it will not be keeping the money.

The move is being seen as a strange and troubling development, both morally and legally.

In the blog post on 13 October, the hackers claim they only target large profitable companies with their ransomware attacks. The attacks hold organisations’ IT systems hostage until a ransom is paid.

They wrote: “We think that it’s fair that some of the money the companies have paid will go to charity.

“No matter how bad you think our work is, we are pleased to know that we helped changed someone’s life. Today we sended (sic) the first donations.”

The cyber-criminals posted the donation along with tax receipts they received in exchange for the 0.88 Bitcoin they had sent to two charities, The Water Project and Children International.

Children International supports children, families and communities in India, the Philippines, Colombia, Ecuador, Zambia, the Dominican Republic, Guatemala, Honduras, Mexico and the United States.

A Children International spokesperson told the BBC: “If the donation is linked to a hacker, we have no intention of keeping it”.

The Water Project, which works to improve access to clean water in sub-Saharan Africa, has not responded to requests for comment.

Brett Callow, Threat Analyst at cyber-security company Emsisoft, said: “What the criminals hope to achieve by making these donations is not at all clear. Perhaps it helps assuage their guilt? Or perhaps for egotistical reasons they want to be perceived as Robin Hood-like characters rather than conscienceless extortionists.

“Whatever their motivations, it’s certainly a very unusual step and is, as far as I know, the first time a ransomware group has donated a portion of their profits to charity.”

The Darkside hacker group is relatively new on the scene, but analysis of the crypto-currency market confirms they are actively extorting funds from victims.

There is also evidence they may have links to other cyber-criminal groups responsible for high-profile attacks on companies including Travelex, which was crippled by ransomware in January.

The way the hackers paid the charities is also a possible cause for concern for law enforcement.

The cyber-criminals used a US-based service called The Giving Block, which is used by 67 different non-profits from around the world including Save The Children, Rainforest Foundation and She’s The First.

The Giving Block describes itself online as “the only non-profit specific solution for accepting crypto-currency donations”.

The company was set up in 2018 to offer cryptocurrency ‘millionaires’ the ability to take advantage of the “huge tax incentive to donate Bitcoin and other cryptocurrencies directly to non-profits”.

The Giving Block told the BBC it was not aware these donations were made by cyber-criminals. It said: “We are still working to determine if these funds were actually stolen.

“If it turns out these donations were made using stolen funds, we will of course begin the work of returning them to the rightful owner.”

The company did not clarify if this means returning the stolen money to the criminals, or attempting to work out which of the criminal victims it intended to reimburse and how.

The Giving Block, which is also an advocate for crypto-currencies, added: “The fact they used crypto will make it easier, not harder, to catch them.”

However, The Giving Block has not given details on what information they collect on their donors. Most services that buy and sell digital coins like Bitcoin require users to verify their identity, but it’s not clear whether this has been done here.

By Joe Tidy, BBC News, 20 October 2020

Read more at BBC News

RiskScreen: Eliminating Financial Crime with Smart Technology

Advance your CPD minutes for this content, by signing up and using the CPD Wallet

FREE CPD Wallet