Mysterious 'Robin Hood' hackers donate stolen money

[German]Premiere in the field of cyber-crime? A group of hackers donates a tiny portion of the money they get from hacks to charity, which puzzles the experts. Here is some information about it.


Advertising

It's a strange story that the BBC made public a few days ago. Cyber criminals who see themselves as hackers claim to have extorted millions of dollars from companies. Now they want to "make the world a better place" and try to donate the proceeds to charity. 

Bitcoins
(Source: Pexels David McBee CC0 License)

In a posting on the Dark Web, the hackers published receipts for $10,000 in Bitcoin donations to two charities. One of the recipients is Children International, but they immediately announced that they would not accept or keep this donation.

Spendenbeleg
(ScreenShot donation receipt, source: BBC)

The donation is seen by experts as a strange and above all disturbing development that raises significant problems and questions both morally and legally. In addition, the amounts donated are only a tiny fraction of the revenues, so the whole thing must be seen more as a gimmick with which cyber criminals seek publicity.


Advertising

Mail of the cyber criminals

In a blog post of October 13, 2020, the hackers claim that their ransomware attacks target only large profitable companies. In ransomware attacks, the companies' IT systems are encrypted and a ransom is extorted. In the post the hackers wrote:

We consider it fair that some of the money paid by the companies is used for charitable purposes. No matter how bad you think our work is, we are happy to know that we have helped change someone's life. Today we have transferred the first donations (sic).

The cyber criminals documented the donation with receipts from the recipients, which are issued for tax purposes. Donated were 0.88 Bitcoins each. The recipients were two charities, The Water Project und Children International.

  • Children International supports children, families and communities in India, the Philippines, Colombia, Ecuador, Zambia, Dominican Republic, Guatemala, Honduras, Mexico, and the United States.
  • The Water Project is committed to improving access to clean water in sub-Saharan Africa.

A spokesperson for Children International told the BBC: "If the donation is linked to a hacker, we have no intention of keeping it". The Water Project has not responded to BBC requests for comment.

Background unclear

Brett Callow, Threat Analyst at the cyber security company Emsisoft, had drawn my attention to the above article by e-mail. He told the BBC:

It is not at all clear what the criminals hope to achieve with these donations. Perhaps it will help to alleviate their guilt? Or maybe for selfish reasons they want to be perceived as Robin Hood-like characters and not as unscrupulous blackmailers.

Whatever their motives may be, this is certainly a very unusual step and to my knowledge the first time a ransom group has donated a portion of their profits to charity.

According to Callow, the group of cyber criminals is relatively new to the scene. But an analysis of the market for crypto-money shows that the group is actively extorting money from ransomware victims. There are also indications of links to other groups of cyber criminals. These are responsible for high-profile attacks on companies (such as Travelex).

Follow the money

The way cyber criminals paid the charities is also unusual, raises questions and poses a problem for law enforcement agencies. The cybercriminals used a U.S.-based service called The Giving Block, which is used by 67 different charities from around the world, including Save The Children, Rainforest Foundation and She's The First.

The Giving Block describes itself online as "the only nonprofit specific solution for accepting donations in crypto-currency. The organization was founded in 2018 to offer "millionaires" among crypto-money owners the opportunity to take advantage of "the enormous tax incentive to donate Bitcoin and other crypto-currencies directly to charities. The organization probably also allows anonymous donations. The Giving Block told the BBC on request that it was not aware that these donations were made by cyber criminals. The organization states the following in a statement:

We are still working to determine whether these funds were actually stolen. If it turns out that these donations were made with stolen funds, we will of course begin to return them.

The fact that they [the criminals] used crypto money will make it easier, not harder, to catch them.

The Giving Block did not disclose details of what the term 'returning the stolen money to its rightful owner' actually means. Will the money go to the cyber criminals, or will they try to find victims of the ransomware attacks and compensate them? No details have been given about what information the organization collects about its donors.

Most services that buy and sell digital money like Bitcoin require users to verify their identity. But it is not clear whether this has been done here. A BBC test showed that anonymous donations to The Giving Block are also possible. Such anonymous donations naturally raise some questions, especially for the recipients.

Crypto-currency investigator Philip Gradwell of Chainalysis points out that an anonymous cash donation to a charity 'should always be questioned by them', and that this is no different for anonymous cyber-money donations, especially when tax receipts are issued. Experts like him point out that the case highlights the complexity and dangers of anonymous donations. Gradwell says:

It's true that security researchers and law enforcement agencies have become very adept at tracking crypto-money moving from wallet to wallet. But finding out who actually owns each wallet is far more complicated.

By allowing anonymous donations from potentially illegal sources, an organization runs the risk of supporting money laundering. All crypto-currency transactions require a number of anti-money laundering measures, including a Know Your Customer (KYC) program with basic background checks to help the organization understand who is behind the transactions.

It remains exciting to see how this topic is now evolving. Let's see, maybe Brett Callow will let me know. That the 'Robin Hood' story of the cyber criminals is not quite working out is clear from two cases. In a ransomware attack on the University Hospital in Düsseldorf, an indirect death occurred because a patient could not be treated due to the IT failure (see Ransomware attack in German hospital ends deadly for a women – blame Shitrix vulnerability). Callow sent me the link to an Emisoft statement, which I discussed in the German article Ransomware-Infektionen mit Datenlecks: Stoppt den Wahnsinn.


Advertising

This entry was posted in Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).