DorkSide: No Bitcoin for copycat hacker who took credit for wrong attack

DarkSide, the infamous ransomware group that made a cool $5 million in Bitcoin when it bought one of America’s largest gas suppliers to its knees earlier this month, has got itself a copycat.

DarkSide — the ransomware crew that made a cool $5 million in Bitcoin from America’s largest gas supplier — has a copycat.

For the past few weeks, an unknown actor pretending to be the Eastern Europe-linked DarkSide has demanded Bitcoin from companies across energy and food sectors, reports Trend Micro.

The Tokyo-based cybersecurity unit relayed a number of key differences between the wannabe blackmailer and the real McCoy.

DarkSide is famously elaborate in its approach, having extorted millions in Bitcoin from some of the world’s most prominent companies.

But there’s a hint of amateur hour about the newcomer (who we’ll call DorkSide).

Since June 4, DorkSide has sent every day the same 100 BTC ($3.25 million) ransom note to generic email addresses of businesses around the world.

Example of DorkSide email courtesy of Trend Micro.

In the email, the fraudster(s) claim to have hacked the target’s servers and stolen sensitive documents. So far, so DarkSide.

Thing is, while DarkSide always backed up its threats with proof it pilfered data, DorkSide offers no such evidence.

In fact, DorkSide’s attempts bear none of DarkSide’s hallmarks.

  • There’s no encryption of the victim’s files.
  • No Tor-hosted website with further instructions.
  • The Bitcoin address tagged at the end of the email is the same for every target.

Tellingly, DorkSide‘s ransom note claims the crew “held a successful attack on the JBS,” referring to an attack on the world’s largest meat supplier in early June.

However, the FBI already established the JBS incident was the work of Russian-based REvil group, not DarkSide — although the two do share some methods and may even be working together.

And DorkSide has so far been unsuccessful. According to Trend Micro, the Bitcoin address included in the email has so far received no funds.

“No actual attack has been traced back to the emails, and no new targets have been spotted,” said the firm.

Where’s the real DarkSide?

As DorkSide tries to fake it until it makes it, DarkSide is suspiciously quiet. 

As reported by Intel 471 in May, every one of the sites on which DarkSide usually communicates is offline. A Russian language post supposedly from the group claimed authorities seized its entire infrastructure.

If true, this would represent a massive win for the Feds. Although, not everybody’s convinced.

Tech portal Ars Technica noted none of DarkSide’s sites were replaced with notices that typically follow such seizures.

What DarkSide’s site should look like (image courtesy of Ars Technica).

[Read more: FBI didn’t hack Bitcoin — but it won’t say how it got DarkSide’s private key]

This has led to speculation the real DarkSide has simply drawn too much heat — so they cut and run.

Prefer to listen to your news? The Protos Podcast delivers the week’s top stories every Friday.

Join our newsletter and get crypto news in your inbox

Newsletter

© 2021 Protos