Charities are currently being warned against accepting donated funds from hackers, ransomware outfits and other cybercriminal gangs, as keeping such a gift could be seen as profiting from a criminal action.

The not-for-profit organisations have been asked to be watchful of their accounts following a recent development in the cybercrime arena, where in a rarely seen move, ransomware operatives have donated a portion of their extorted funds to charity.

A twist in tactics for ransomware pros

Commonly deployed via a malicious link embedded in a phishing email, ransomware is a form of crypto malware that can infect a device or network, seizing sensitive files and rendering them inaccessible to user. In some cases, ransomware operators not only infiltrate but exfiltrate, viewing confidential files and then stealing them to hold as collateral should they be necessary. In return for access to their data files or systems, the victim will be asked to pay a ransom in cryptocurrency like Monero or Bitcoin. If they refuse, the ransomware gang will threaten to expose the stolen files on a hacker forum where they can be publicly viewed.

DarkSide, a sophisticated and professional cybercriminal outfit with a business-focused approach to ransomware tactics, has donated funds from one of its successful attacks to charity. The group, which first emerged this year, is self-styling itself as philanthropists of the cybercrime world, only robbing from rich enterprises. The gang even released an official press piece explaining its methods of meticulously analysing a target’s financial status before attacking, and confirming that it purposefully never launches assaults on non-profits or medical organisations. With this new tactic of giving funds back to charities, it is taking its Robin Hood image a step further.

Whitewashing a criminal image

In a recent October blog post, the group declared that giving some of the funds it had extorted to charity was “only fair”. In two bitcoin payments valued at $10,000 (£7,700) each, DarkSide donated to The Water Project in New Hampshire and Children International in Missouri, both charities in the United States. Payments were made using The Giving Block, an organisation established to managed donations made in cryptocurrency to non-profits. Additionally, the cybercriminal group posted its tax receipts for the transactions.

Kelvin Murray, threat researcher for Webroot, commented that the donations made appeared to be part of a burgeoning trend of ransomware operators attempting to clean up their public profile:

“We have seen this with the Maze gang, among others, where throughout the Covid-19 pandemic they have continuously reminded us that they have not been targeting hospitals out of moral concern. This also coincides with their relatively new tactic of stealing data from their victims and threatening to publicly post it on websites. These large gangs also do a lot of public posting on the dark web as they court customers and form business alliances.”

In response to the funds gifted by DarkSide, charity Children International has stated it will not keep the donation and The Giving Block has now started an in-depth investigation to trace where the funds originated from and how it can return them.