WannaCry’s bitcoins were converted to Monero, researchers say

The responsible parties may have relied on Monero since it hides both ends of a transaction, as well as the amount.

Three months after WannaCry impacted more than 300,000 computers in over 150 countries, the bitcoins paid by victims have been exchanged for Monero, a privacy-focused cryptocurrency that’s seen a spike in popularity and price over the last year, according to researchers at the Italian cryptocurrency intelligence firm Neutrino.

Beginning on Wednesday night, a Twitter bot set up by the business blog Quartz watched as money was drained from the wallet. The first such transaction can be seen below:

Alberto Ornaghi, Neutrino’s chief technology officer, told CyberScoop that Monero is attractive because “it’s a highly oriented privacy cryptocurrency.” The idea of shifting the funds to to Monero, a three-year old project widely seen as a powerful anonymization tool, has been bandied about for months by a wide range of observers. It looks like the WannaCry hackers, widely suspected to be North Korean state-backed actors, finally made the move.


“You cannot track a Monero address,” Ornaghi said. “You cannot even check the balance or when the address is used to move the funds.”

Monero hides both ends of a transaction as well as the amount. That stands in sharp contrast to Bitcoin, the original cryptocurrency first created in 2009, which uses a public ledger that exposes all transactions and wallets to public scrutiny.

Monero’s market cap is currently hovering around $650 million compared to Bitcoin’s approximately $45 billion.

Monero made some headlines earlier this year when the Shadow Brokers, the group of hackers that has been releasing and selling stolen NSA hacking tools, began accepting the privacy-centric cryptocurrency as payment. The currency is also increasingly accepted on dark web marketplaces where it’s used to hide large sums of cash, including by the arrested owner of the recently shuttered AlphaBay.

Ornaghi said the WannaCry funds were moved to, a cryptocurrency conversion platform, “because it’s easy to use and it does not require any registration. You use it completely anonymously.”


The apparent conversion of the funds from Bitcoin to Monero makes the funds more difficult to track, Ornaghi explained, “but if they can have access to the ShapeShift logs, maybe they can find some other clues of who utilized the service and from where.”

Update 8/3/2017, 3:58 p.m.:  ShapeShift verified “that the WannaCry attacker did breach its terms of service and utilized the services to move a portion of their proceeds of crime,” according to a statement.

“As of today, we have taken measures to blacklist all addresses associated with the WannaCry attackers that are known to the ShapeShift team, as is our policy for any transactions we deem breach our terms of service. We are closely watching the situation as it continues to unfold as to block any further addresses associated.”

ShapeShift is currently engaging and assisting law enforcement.

“Any transactions made through ShapeShift can not be hidden or obscured and are thus 100 percent transparent, making laundering of any digital tokens impossible,” the statement concluded.

Latest Podcasts