On Tuesday night the hackers behind the WannaCry attack started to collect on the payments made by their victims, emptying bitcoin wallets tied to the WannaCry ransomware, according to a report by Quartz.
In total, the hackers collected $140,000 in bitcoin from three bitcoin wallets, which are essentially accounts where bitcoins can be stored or transferred to and from. The hackers used seven different withdrawals to collect the full amounts from the bitcoin wallets, Quartz said. The website had set up a Twitter bot to monitor withdrawals from the accounts, which are publicly accessible on the blockchain.
“The money was likely sent through a bitcoin mixer, a process that obscures its trail from bitcoin to hard currency. The process is a sort of laundering operation for digital currency,” Quartz said.
Separately, the FBI arrested 23-year-old British security researcher Marcus Hutchins on Thursday. Hutchins is credited with stopping the WannaCry outbreak, but a report by The Guardian said his arrest is related to his alleged involvement in creating the banking trojan Kronos between 2014 and 2015.
An indictment filed in the Eastern District of Wisconsin said Hutchins, who is also known by his screenname Malwaretech, and another unnamed defendant, “knowingly conspired and agreed with each other to commit an offense against the United States.” The indictment alleges that Hutchins and his co-defendant advertised the availability of the Kronos malware on internet forums; sold the Kronos malware; and received and distributed the proceeds obtained from selling the Kronos malware.
In 2014, the Kronos banking trojan was being advertised on Russian forums for pre-order, at a cost of $7,000.
Hutchins was in the U.S. this week traveling to the Def Con security conference, according to a friend who spoke to Motherboard on the condition of anonymity. He was detained in Nevada early on Thursday, and was moved to another facility.
Hutchins was hired in 2015 by Los Angeles-based threat intelligence firm Kryptos Logic, but he had never been outside of the U.K. until last year. He started a blog under the pseudonym MalwareTech when he was a teenager.