WannaCry addresses were emptied in a day as speculations over where the money goes are emerging. Meanwhile, the hero of the day who disabled the initial attacks is arrested just a day earlier.

Cash out

Just months after WannaCry ransomware attack that struck all corners of the globe, the hackers behind the act have moved over $140,000 worth of Bitcoins collected as ransom out of the initial wallets.

A twitter bot set up by Keith Richards of Quartz pointed out the movements of large sums on Aug. 3. Shortly after the balance of known WannaCry wallets dropped to zero. Companies from FedEx to Nissan and UK’s National Health Service were attacked.

This is not the first move of funds as the elliptic points out.

The company monitors Bitcoin wallets and provides data that is openly available. As seen below over about 10 days starting from May 12, the attacker’s addresses ballooned from around almost zero to $139,000.

Businesses and organizations that could not afford to have their systems offline and data encrypted were forced to quickly pay from $300 to $600 to decrypt their systems.

This could run into tens of thousands for a single organization. From July 24 funds started being moved out and finally on Aug. 3 over $120,000 remaining was moved in a single day.

Sums were generally moved in lots of around $20-27,000 worth of Bitcoins until completely drained.

Andy Patel of F-Secure has no strong assumption as to why to move the money. A key factor of Bitcoin transactions is that they are pseudonymous. Despite not being anonymous, there is no way of knowing who control the keys to the addresses.

“I have not idea why they would move the money… Wouldn’t imagine they are going to try and turn those Bitcoins into real money. If they do, it’s going to give someone a track to an actual person.” Patel told the BBC.

Follow the money

Alan Woodward who acts as a cyber security advisor to Europol points out that many assume Bitcoin is anonymous - this is very different from being pseudonymous. The Bitcoin ledger is entirely visible to all.

He goes on to explain that “cluster analysis” is a technique used to attempt locating addresses controlled by the same person.

This is no different than the classic “follow the money” approach used to catch money laundering and illegal financing. However, with the complexity of digital currencies, a difficulty level is added.

While there were different assumptions as to where the money went or will go, some suggestions included swapping the Bitcoins for privacy orientated Monero or even running it through a mixer to try to lose the trail.

It should be noted that recently AlphaBay was taken down and the world’s largest Bitcoin mixing service suddenly closed doors.

ShapeShift has since released a statement confirming that the attackers used their service to exchange Bitcoin to Monero but did breach the terms of service.

“As of today, we have taken measures to blacklist all addresses associated with the WannaCry attackers that are known to the ShapeShift team, as is our policy for any transactions we deem breach our terms of service. We are closely watching the situation as it continues to unfold as to block any further addresses associated….Any transactions made through ShapeShift can not be hidden or obscured and are thus 100 percent transparent, making laundering of any digital tokens impossible.”

- ShapeShift statement regarding the transactions

Hero arrested

Meanwhile, Marcus Hutchins who was the first cyber security expert to shut down the first attacks “accidentally,” has been arrested in the US. According to mainstream media, he has been accused of involvement with Kronos - a malware used to steal bank logins.

Cointelegraph cannot confirm the validity of these allegations. The 23-year-old Brit was visiting the US to attend Black Hat and Def Con conferences

Fellow researcher Kevin Beaumont tweeted:

“...It looks like the US justice system has made a huge mistake.”