Mysterious 'Robin Hood' hackers donating stolen money

EDUARD MUZHEVSKYI / SCIENCE PHOTO LIBRARY robin hood hacker imageryEDUARD MUZHEVSKYI / SCIENCE PHOTO LIBRARY

A hacking group is donating stolen money to charity in what is seen as a mysterious first for cyber-crime that's puzzling experts.

Darkside hackers claim to have extorted millions of dollars from companies, but say they now want to "make the world a better place".

In a post on the dark web, the gang posted receipts for $10,000 in Bitcoin donations to two charities.

One of them, Children International, says it will not be keeping the money.

The move is being seen as a strange and troubling development, both morally and legally.

tax recept for hacker donation
The hackers posted their tax receipt for the $10,000 donation

In the blog post on 13 October, the hackers claim they only target large profitable companies with their ransomware attacks. The attacks hold organisations' IT systems hostage until a ransom is paid.

They wrote: "We think that it's fair that some of the money the companies have paid will go to charity.

"No matter how bad you think our work is, we are pleased to know that we helped changed someone's life. Today we sended (sic) the first donations."

The cyber-criminals posted the donation along with tax receipts they received in exchange for the 0.88 Bitcoin they had sent to two charities, The Water Project and Children International.

Children International supports children, families and communities in India, the Philippines, Colombia, Ecuador, Zambia, the Dominican Republic, Guatemala, Honduras, Mexico and the United States.

A Children International spokesperson told the BBC: "If the donation is linked to a hacker, we have no intention of keeping it".

The Water Project, which works to improve access to clean water in sub-Saharan Africa, has not responded to requests for comment.

another tax receipt for a donation
Another receipt was posted on the dark web blog showing a $10,000 donation

Brett Callow, Threat Analyst at cyber-security company Emsisoft, said: "What the criminals hope to achieve by making these donations is not at all clear. Perhaps it helps assuage their guilt? Or perhaps for egotistical reasons they want to be perceived as Robin Hood-like characters rather than conscienceless extortionists.

"Whatever their motivations, it's certainly a very unusual step and is, as far as I know, the first time a ransomware group has donated a portion of their profits to charity."

The Darkside hacker group is relatively new on the scene, but analysis of the crypto-currency market confirms they are actively extorting funds from victims.

There is also evidence they may have links to other cyber-criminal groups responsible for high-profile attacks on companies including Travelex, which was crippled by ransomware in January.

The way the hackers paid the charities is also a possible cause for concern for law enforcement.

The cyber-criminals used a US-based service called The Giving Block, which is used by 67 different non-profits from around the world including Save The Children, Rainforest Foundation and She's The First.

deleted tweet from giving block
The now-deleted tweet celebrating the donation from the hackers

The Giving Block describes itself online as "the only non-profit specific solution for accepting crypto-currency donations".

The company was set up in 2018 to offer cryptocurrency 'millionaires' the ability to take advantage of the "huge tax incentive to donate Bitcoin and other cryptocurrencies directly to non-profits".

The Giving Block told the BBC it was not aware these donations were made by cyber-criminals. It said: "We are still working to determine if these funds were actually stolen.

"If it turns out these donations were made using stolen funds, we will of course begin the work of returning them to the rightful owner."

The company did not clarify if this means returning the stolen money to the criminals, or attempting to work out which of the criminal victims it intended to reimburse and how.

The Giving Block, which is also an advocate for crypto-currencies, added: "The fact they used crypto will make it easier, not harder, to catch them."

However, The Giving Block has not given details on what information they collect on their donors. Most services that buy and sell digital coins like Bitcoin require users to verify their identity, but it's not clear whether this has been done here.

The Bitcoin payment widget on a charity website
67 charities use The Giving Block to accept crypto-currency

As an experiment, the BBC attempted to donate anonymously through The Giving Block's online system, and was not asked any identity verification questions.

Experts say the case highlights the complexity and dangers of anonymous donations.

Crypto-currency investigator Philip Gradwell from Chainalysis said: "If you walked into a charity shop with an anonymous mask on and donated £10,000 in cash, then asked for a taxable receipt, questions should probably be asked - and it's no different.

"It's right to say that researchers and law enforcement have become adept at tracing crypto-currency funds as they are moved around from wallet to wallet. But finding who actually owns each wallet is far more complicated.

"By allowing anonymous donations from potentially illicit sources, it opens up the danger of money laundering.

"All crypto-currency businesses need a full range of Anti-Money Laundering measures including a Know Your Customer (KYC) program of basic background checks, so that they can understand who is behind the transactions their business facilitates."

The BBC has spoken with other charities which accept donations via The Giving Project.

Save the Children told the BBC it would "never knowingly take money obtained through crime".

She's the First, a charity for girls' education around the world, said it would not be comfortable accepting money from anonymous, possibly criminal, sources and said: "It's a shame that bad actors would exploit the opportunity to donate crypto-currency for personal gain, and we hope that even anonymous donors share our community's values."