A cybersecurity analyst has traced part of a $4.5 million Bitcoin ransom paid out by US travel giant CWT. But the hackers chose to launder their money in the place you’d least expect it—in plain sight on large cryptocurrency exchanges.
CWT, which produces annual revenues of $1.5 billion, paid the Bitcoin ransom to the hackers on July 28 to regain access to two terabytes of files and to stop them from exposing the information. The files included employee data, financial documents, and other information.
Tal Be’ery, co-founder of Israeli cyber-security firm ZenGo, found out what happened to the money. In a write-up today, Be’ery found that the hackers, who are still at large, tried to launder their money through some of the largest cryptocurrency exchanges in the world, including Binance, Coinbase and Huobi.
“While most ransomware cases occur behind closed doors, CWT and their attackers inadvertently left the trail of their conversations open to public view, providing a unique glimpse into an otherwise secret world of ransomware-related negotiations,” he said.
Be’ery and his team at ZenGo followed the money to crypto exchanges using information about the correspondence uncovered by a Reuters journalist. Just 20 minutes after CWT paid the hackers their ransom, the hackers started splitting up the funds.