Bitcoin wallets that are known to have ties to the WannaCry ransomware have had funds withdrawn from them this morning.

Roughly three hours ago the wallets were burgeoning with 52.19666422 BTC with the last payment into the wallet on 24th July. We know this thanks to the Twitter bot actual_ransom set up by Keith Collins, a tech reporter at Quartz.

Then two hours ago funds started to be withdrawn from the wallets and transferred into nine new wallets.

Unlike the NotPetya wallets which we’re emptied almost a week after the “ransomware” crippled several firms, WannaCry’s wallets have been left untouched, slowly accumulating the ransoms folks were paying to get their data back.

WannaCry tore through 99 countries locking down PCs demanding up to $600 ransoms that had to be paid in Bitcoin. Among the more notable companies hit by WannaCry was the National Health Service in the UK and Sberbank in Russia.

In the days that followed the attack Microsoft released patches for Windows XP, an operating system that it had stopped supporting in 2014.

Despite having been around since May, researchers still are not sure who is behind the attack. For a time it was thought that the hacking collective known as Lazarus Group was behind the attack but those claims don’t seem to have been followed through.

With the wallets associated with the ransomware now being emptied its beginning to look like we might never know who was behind the biggest ransomware attack we’ve ever seen.


Brendyn Lotz writes news, reviews, and opinion pieces for Hypertext. His interests include SMEs, innovation on the African continent, cybersecurity, blockchain, games, geek culture and YouTube.