Ransomware gang BlackCat exit scams affiliates with millions in Bitcoin after attacking medical IT firm

  crypto.news 2 h

Cyber gang BlackCat allegedly scammed its own affiliates as the group went dark shortly after it disrupted the U.S. healthcare system.

An address associated with the ransomware gang BlackCat, also known as ALPHV and Noberus, received approximately $22 million worth of Bitcoin (BTC) on Mar. 1 following a late February attack on United Healthcare’s Change Healthcare, a tech firm providing services to hospitals and clinics.

#ALPHV scamming affiliates? $22M paid and withdrawn pic.twitter.com/0ocKoXNLme

— 𝕯𝖒𝖎𝖙𝖗𝖞 𝕾𝖒𝖎𝖑𝖞𝖆𝖓𝖊𝖙𝖘 (@ddd1ms) March 4, 2024

However, a twist emerged two days later when the address received over 1,000 BTC and promptly emptied the wallet. Subsequently, an individual named “notchy,” claiming to be an affiliate of BlackCat, alleged in a post on a cybercriminal underground forum that the gang had deceived its affiliates as it didn’t pay them their share for executing the attack, according to a copy of the message shared on X by Dmitry Smilyanets, Recorded Future’s product management director.

You might also like: Reddit hackers want $4.5m and ethical conduct from the company

The affiliate further disclosed that the attack on Change Healthcare’s network had granted access to the data of numerous other healthcare firms partnered with the medical IT provider. In a statement to Wired, Smilyanets confirmed that the affiliates “still have this data, and they’re mad they didn’t receive this money.”

Both Recorded Future and TRM Labs, a blockchain analysis firm, have reportedly identified the Bitcoin address that received nearly $100 million in Bitcoin as linked to the BlackCat hackers. According to MistTrack, all the BTC allegedly connected to illicit activity has been transferred to eight different addresses and remains unspent thus far.

The address 14Q5xgBHAkWxDVrnHautcm4PPGmy5cfw6b appears to have received 1,401.6953 $BTC(worth $150M) on March 1. 🥲

The BTC has been transferred to 8 different addresses and has not yet been transferred out. #ALPHV #Ransomhttps://t.co/MezDEHc5Wo https://t.co/8l9iIwZ3sD pic.twitter.com/HpglL0FNf3

— MistTrack🕵️ (@MistTrack_io) March 6, 2024

Established in late 2021, BlackCat operated on a ransomware-as-a-service model, providing affiliates with malware and taking a percentage of ransom payments. Having targeted numerous companies worldwide, including Reddit in 2023, the gang’s website was shut down by the FBI in December 2023, resulting in the seizure of multiple websites and the release of a decryption tool.

However, in February 2024, the U.S. Department of State annoucned a reward offering of up to $10 million for information leading to the identification or location of individuals holding key leadership positions within the BlackCat group and up to $5 million for information leading to the arrest or conviction of anyone involved in the group.

Source