This story is over 5 years old.


Hackers Behind WannaCry Cashed Out Bitcoin While No One Was Watching

Hackers behind two strains of WannaCry have moved out their bitcoin proceedings in a very similar way.
Image: Steve Heap/Shutterstock

Almost three months after their ransomware wreaked havoc all over the world—locking doctors out of patient records, preventing employees of telecom giants to work on their company computers, and frustrating thousands of victims—the hackers behind the outbreak have started to cash out.

On Wednesday, the unknown hackers behind the ransomware outbreak known as WannaCry emptied their three bitcoin wallets, moving around $140,000. They appear to have used the same method of the hackers behind the ransomware's predecessor, which is sometimes referred to as WannaCry 1.0. Cryptocurrency watchers told Motherboard that this suggests the hackers are the same in the two versions, but there is currently no further evidence to suggest this is the case.


Read more: Kidnappers Around the World Want Their Ransoms Paid in Bitcoin

On July 20, whoever was behind WannaCry 1.0 cashed out all the bitcoin they accumulated, and converted it to the more anonymous and harder to track cryptocurrency Monero, according to researchers. WannaCry 1.0 is an earlier version of WannaCry; it's unclear if it was controlled by the same hackers as WannaCry 2.0, which is the version that caused damage all over the world.

Alberto Ornaghi, the co-founder of cryptocurrency tracking startup Neutrino, told Motherboard in an email interview he thinks the WannaCry 1.0 and 2.0 hackers are from the same group, though there are no definitive evidence showing that is the case.

"I think they're first testing with this little money from the first version to see how the entire world reacts as soon as they move those bitcoins," Ornaghi said.

Ornaghi and his colleagues at Neutrino first alerted Motherboard about these transactions.

"If they see it works and there aren't that many traces left around, they'll move the other money too," he added.

On Wednesday, the hackers behind WannaCry 2.0 also moved their money.

Neutrino researchers tracked the bitcoin funds acquired from WannaCry 1.0 and noticed that they got laundered and converted to Monero via a service called ShapeShift, a Swiss company that allows for easy, quick, and relatively anonymous conversions of cryptocurrencies. Recorded Future, a security firm that tracks cybercriminals, confirmed Neutrino's analysis of the WannaCry 1.0 money transactions.


This week, the hackers behind WannaCry 2.0 did the same exact thing with their bitcoin, Ornaghi told Motherboard.

"Same pattern as WannaCry 1.0," Ornaghi told me. "So we think the [malware] authors are the same."

At this point, however, there's no evidence that WannaCry 1.0 and WannaCry 2.0 are connected in any way other than the fact that the second ransomware appears to have reused some of the code from the first one. Researchers believe WannaCry 2.0 was created by North Korean government hackers.

"While [WannaCry 1.0] was not very successful in terms of number infections it was widely analyzed and the source code was floating around (to use the technical term) in various underground forums," Allan Liska, a researcher at Recorded Future, told Motherboard in an email. "If an attacker was looking for a simple, low-sophistication ransomware family to bolt another attack on, it was an ideal choice."

This is the third case in which hackers have quietly cashed out ransomware-generated funds weeks after disappearing. Hackers connected to NotPetya, another destructive ransomware strain that crippled Ukraine and spread all over the world, also moved their bitcoin wallets weeks after the outbreak.

Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at, or email

Get six of our favorite Motherboard stories every day by signing up for our newsletter.