-
Camorra Cesarano murder: three killers from Boscoreale arrested. The boss's wife is also among them.9 September 2025 - 15:27
-
July 5, 2025 - 13:34
Since the operation of Darkside Ransomware was discontinued a week ago, multiple affiliates complained about not being paid for previous services and filed a Bitcoin escrow request in a hacker forum.
Even Criminals Have Rules
Russian-speaking cybercriminal communities typically have an escrow system to prevent scams between sellers and buyers.
For ransomware operations (Ransomware is a type of crypto-virus malware that threatens to publish the victim's data or continuously block access to it unless a ransom is paid), the deposit is a clear statement that they mean big business.
To gain the trust of potential partners and expand the operation, DarkSide deposited 22 Bitcoins on the popular XSS hacker forum. The wallet is managed by the site administrator, who in this case acts as a guarantor for the network and arbitrator in case of disputes.
Last year, REvil ransomware deposited $1 million in Bitcoin into another hacking forum to attract new recruits to the operation. This move demonstrated that they trusted the forum administrator with the money and that there was a lot of money to be made.
Last week, DarkSide closed its stores and informed affiliates that the decision came after losing access to its public-facing servers and was "due to pressure from the United States" following the Colonial Pipeline attack.
Which is good for the big companies that operate in Bitcoin, since DarkSide mainly attacks the big wallets. And it's a sigh of relief for all those who want to start investing now.
For those who want to start in this field, you can start investing using platforms like bitcoin trader. Before starting, find out about bitcoin trader what are they, and read the reviews.
Unpaid Debts
The dissolution of DarkSide's ransomware-as-a-service (RaaS) operation was sudden and clearly left some unfinished business. Five partners complained that the operators owed them money from paid ransoms or hacking services:
It might interest you
Video chat: a new form of basic communication
Lombardy and Campania share a transformation that reshapes urban sociality
Payroll compliance: how to avoid penalties with the support of a labor consultant
Cryptocurrency taxation in Italy: no capital gains on eurostablecoin conversions, according to the draft
The first affiliate who filed the complaint claimed to have "repented" of an attack and was owed 80% of the ransom payment. However, after the victim paid, DarkSide operators stated they no longer had access to the funds and the affiliate could use the XSS deposit to receive payment.
The second affiliate claims he left bitcoins for them on the affiliate portal, but had to rush to relatives before they could claim them.
A third affiliate claims they were also a "pentester" and had a ransom just before the DarkSide operation shut down. This affiliate claims to have sent proof to the XSS administrator.
A fourth affiliate claims to have worked on corporate breaches but never received the final $150.000 payment.
The fifth and final affiliate claims to have received $72.000 on the affiliate portal but was unable to withdraw it before the operation was closed due to health reasons.
In the case of the first complaint, filed on March 14th, the forum administrator, who is acting as arbitrator, approved the settlement from DarkSide's deposit. They also asked others to come forward if they have grounds for complaint.
Victims of Darkside
Four days later, the second request appeared, followed by three more on March 19th and 20th. None of these received a response from the forum administrator.
DarkSide rose to prominence in August 2020 and has become one of the most prolific ransomware groups. In nine months, the operation has generated at least $90 million in ransoms.
In just one week, the gang raised approximately $9 million from two attacks: Colonial Pipeline and the German chemical distribution company Brenntag.
Even though DarkSide is shut down, there are still extorted victims. Affiliates have received corresponding decryption keys to continue negotiations with victim companies separately.
Choose the channel you want to subscribe to