International edition
  • English
  • Español
  • Français
  • Deutsch
  • Русский

WannaCry ransomware bitcoins move from online wallets

More than $140,000 (£105,000) worth of bitcoins paid by victims of the WannaCry ransomware outbreak have been removed from their online wallets.

However, many clearly decided to take a chance.

What is ransomware?

According to bitcoin-monitoring company Elliptic, an initial portion of the WannaCry funds were moved in late July.

And at about 04:10 BST on Thursday, the vast majority were finally withdrawn in entirety.

Many watchers expect that the WannaCry bitcoins will be put through a "mixer" - in which the currency is transferred and mixed into a larger series of payments that make it much harder to track where it ends up.

Analysis

By Alan Woodward, cyber-security adviser to Europol

Many people assume Bitcoin is anonymous: the online equivalent of cash. However, every transaction is completely visible to anyone who cares to look.

There are even online sites that allow you to view what is happening in the blockchain - the distributed ledger that records all bitcoin movements.

The blockchain is more like a Swiss bank account: you know the account number and which account transfers money to which other accounts, but you don't necessarily know who stands behind that account number.

A technique called "cluster analysis" looks across all of these bitcoin addresses and attempts to find addresses that are being used by the same people.

Then, some of the other transactions in that cluster, which were not intended to be anonymous, can provide evidence of who owns those addresses.

Law enforcement agencies often use this classic approach to track criminals - the idea, of course, is: "Follow the money."

Alan Woodward is professor of cyber-security at the University of Surrey.

Video

Parents are divided about whether it is right to post photos of one's chil