The World Is Watching: Can WannaCry's Creators Cash Out Their Bitcoin Ransom?

Bitcoins amassed by those behind the huge malware attack are being watched by the authorities. Can they retrieve the funds and not get caught?

AccessTimeIconMay 18, 2017 at 11:00 a.m. UTC
Updated Sep 11, 2021 at 1:20 p.m. UTC

The hackers behind the infamous WannaCry ransomware have had a lucrative week. So far, they have racked up almost $80,000 in bitcoins. But their next step may be more difficult – they still have to figure out how to move that money, without giving themselves away to authorities.

The well-publicized cyber-attack, which began in Asia, has locked up hundreds of thousands of computers in more than 150 countries. Once a computer gets infected, a tab pops up demanding a $300 payment in bitcoin to unfreeze the data.

Shockingly, despite no clear evidence that anyone who pays the ransom actually receives the promised decryption keys to unlock their encrypted files, some people have been putting up the funds, sending their bitcoin off to one of the hacker's three bitcoin wallet addresses.

But now, with the world's cybercrime teams watching those bitcoin addresses, the question is: Will the hackers be able to launder that money and spend it? Or, is the money tainted, traceable, and therefore worthless to the thieves?

Follow the coins

Originally bitcoin was touted as an anonymous payment vehicle. But over the years it has become clear that bitcoin is pseudonymous rather than truly anonymous.

Bitcoin addresses, payments and transactions are all visible on the blockchain. And by analyzing transaction patterns, it is possible to trace money and find the actual parties behind the public keys – strings of numbers bitcoin uses to identify its participants.

As WannaCry is the most widespread bitcoin ransomware attack in history, the criminals behind it have garnered a lot of attention. So, if they want to actually spend their funds, they will have to find a clever way to remove all links from the original bitcoin addresses.

As of right now, though, the bitcoins are still sitting untouched, and the trail is cold.

Hiding their tracks

So what are the options for the bad actor(s) behind the ransomware attack?

Laundering bitcoin is a little different from laundering fiat money, but is just a matter of applying the right tools, according to Emin Gün Sirer, a professor at Cornell University. According to him, technologies already exist for shedding so called ‘tainted’ bitcoins – they just require a little technical know-how.

One of the simplest processes is ‘chain hopping', where bitcoins are converted into other digital currencies, usually at offshore exchanges. “Following the trail gets quite difficult as the coins cross jurisdictions and change shape,” Sirer told CoinDesk.

Another technique known as ‘tumbling’ would allow the hackers to pool their ill-begotten bitcoins with other people's coins.

In a bitcoin tumbling service, coins from different sources are mixed together and then re-disbursed. Conceivably, the hackers could repeatedly mix their coins until the coins were diluted enough to throw law officials off their path.

But Ethan Heilman, the Boston University researcher behind TumbleBit, a proposed bitcoin tumbler, indicated that mixing bitcoin is risky business, especially when dealing with larger sums of money. As he pointed out, one of the problems the hackers may run into is finding a large enough number of bitcoins to adequately mix with.

"Even if they mix the coins such that they will be hard to follow, if the WannaCry hackers make a mistake and join the coins back together, those coins could become vulnerable to clustering and other blockchain analysis techniques," he said.

Further, it is unclear how effective most mixers actually are, Heilman added.

Newbie mistakes?

Notably, the fact that the hackers used only three bitcoin addresses to collect their money suggests they don't know much about bitcoin privacy. Had they used a unique bitcoin address for each computer WannaCry infected, the money would have been a lot more difficult to trace.

In a LinkedIn post, Neil Walsh, the UN’s head of global cybercrime, pointed to that and other shortcomings in the ransomware to suggest the hackers are likely in over their heads.

He wrote:

“We estimate that the attackers are relatively unskilled, and are probably unprepared for the impact their malware turned out to have. It is quite possible that they are unsure how to launder the bitcoin funds safely.”

However, as Sirer pointed out, hacking is a rich, stratified ecosystem, and the people who put together the exploit may now be looking for an expert at laundering coins. Or, they may simply be biding their time before attempting to retrieve the funds.

He concluded:

"The authorities are revved up right now, and time will help dilute their focus. The hackers can probably afford to wait, potentially for a long time."

Hacker image via Shutterstock


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.