The mysterious "Robin Hood" hackers who steal to give to charity

March 9, 2022

Since last Friday, the United States has been experiencing days of emergency after a cyberattack that forced the Colonial company to interrupt the 8,850 kilometers of pipelines it manages and which are essential for supplying the large population centers in the east and south of the North American country, which is why the authorities with their nerves on edge.

The pipeline, operated by Colonial Pipeline _ a Georgia-based company _, transports gasoline, diesel and jet fuel from Texas to the northeast. It delivers nearly 45% of the fuel consumed on the East Coast, according to the company.

Joe Biden takes emergency measures to avoid a fuel shortage in much of the nation -such as the suspension of the gasoline evaporation control requirements in the pipeline in the states of Virginia, Maryland, Pennsylvania and the District of Columbia- , investigators are looking for those responsible behind this cyberattack.

The President mentioned: "So far there is no evidence, from our intelligence personnel, that Russia is involved, although there is evidence that the actors, the ransomware, is in Russia. They have some responsibility."

For its part, the FBI blamed "Darkside", a group of hackers from Eastern Europe that operated through ransomware, in which attackers often encrypt information to block access to computer systems, which paralyzes networks, and they then demand a large ransom to free the network.

Who is Darkside?

It is a relatively new group that became known in August 2020 and, according to several cybersecurity companies, operates as a "company": it has a press contact, has a code of ethics and donates to charity.

Darkside would be made up of hackers with considerable experience and was made public in August 2020 through a press release, an unusual attitude that has led some to claim that this group has "professionalized" this criminal act has become a " business".


One detail to consider: Russian cybersecurity company Kaspersky reported that the cybercrime gang launched Darkside Leaks a few weeks ago, described as "a professional-looking website that could be from an online service provider."

The members of Darkside themselves have an ethical code, which is published on their website: they ensure that they do not attack medical companies, government agencies, funeral homes, educational institutions or non-profit organizations, but only large companies.

They also say that they are for the fight to "make the world a better place", for which they have donated part of the stolen money to charitable institutions, such as Children International and The Water Project, which has led them to earn the nickname of a lucky "Robin Hood" of this era.

"We think it's fair that some of the money that companies have paid goes to charity," the group wrote on its blog on October 13.


Guilty thieves?

For Brett Callow, a threat analyst at the cybersecurity company Emsisoft, "what criminals hope to achieve with these donations is not entirely clear." Perhaps it will help them mitigate their guilt? Or maybe for selfish reasons they want to be perceived as the hooded character from Robin Hood rather than conscienceless extortionists," he opined.

The Darkside hacker group is relatively new to the scene, but analysis of the cryptocurrency market confirms that they are actively extorting money from their victims. 

There is also evidence that they may have links to other cybercriminal groups responsible for high-profile attacks on companies, including Travelex, which fell victim in January. The way the hackers paid the charities is also a matter of concern for the authorities.

Cybercriminals have posted the donation along with the tax receipts they received in exchange for the 0.88 Bitcoin they had sent to two charities, The Water Project and Children International.

Children International supports children, families and communities in India, the Philippines, Colombia, Ecuador, Zambia, the Dominican Republic, Guatemala, Honduras, Mexico and the United States.

"If the donation is linked to a hacker, we have no intention of keeping it," a ChildrenInternational spokesperson said.


Call to action

Darkside reached global connotation after they were accused of being responsible for an event that could clearly be a catastrophe for Americans.

Our consultants at Strategy and Security mention that gasoline prices are unlikely to be affected if the pipeline returns to normal operation in the next few days, but consider the incident to be the worst cyberattack to date against vital US infrastructure this should serve as a wake-up call to companies about the vulnerabilities they face.

For more information on this and other topics
you can send us a message

contact us