WannaCry Hackers Are Using This Swiss Company To Launder $142,000 Bitcoin Ransoms

Remember those pesky WannaCry ransomware hackers? They're starting to shift their bitcoin around and Forbes has learned they're using a Swiss cryptocurrency exchange called ShapeShift to do it.

WannaCry infected as many as 200,000 computers when it broke out in May, locking up systems and demanding $300 in bitcoin from victims wanting their files back. Though many believed the attackers were more concerned about causing disruption, and security experts suggesting North Korea was behind the hacks, the perpetrators are starting to launder their $143,000 in bitcoin.

To do that, they've first "split" the money in each of the three wallets known to be used by WannaCry, before sending the funds to Shapeshift.io for conversion into Monero, a currency that's incredibly hard to track, as confirmed by two separate cryptocurrency tracking firms, Neutrino.nu and Chainalysis. The hackers haven't moved all the money yet, though. Only 13.5 bitcoin ($36,922) out of 51.9 have been moved, noted Chainalysis co-founder Jonathan Levin.

ShapeShift, led by American and long-time bitcoin luminary Erik Voorhees, allows customers to swap whatever currency they're using by just providing an email, making it a quick, easy and anonymous way to change funds. All users have to do is send they money and ShapeShift send back the equivalent in whatever cryptocurrency was chosen. As its own literature says: "From start to finish, ShapeShift can change currencies in under ten seconds, no account required." Under its terms of service, the company prohibits illegal use of its product. The company had not responded to requests for comment at the time of publication.

The use of Monero will make it considerably harder for companies to track, said Giancarlo Russo, Neutrino.nu CEO. "Monero is totally anonymous so far," he told Forbes. "It will not be possible to follow further movements.

"By design, the Monero blockchain doesn't publish transaction amounts and so it is not possible to follow them as we do for bitcoins."

The WannaCry ransomware borrowed from leaked NSA exploits and caused severe disruption at UK hospitals, even infecting a medical device in a U.S. hospital. Wallets for an earlier version were also emptied in July with similar transactions carried out through ShapeShift, according to Russo.

Earlier in July, the hackers behind another destructive ransomware, NotPetya, shifted 3.96 bitcoins ($10,382) out of their wallet. NotPetya pilfered from the same NSA-developed cyberweapons to cause disruption at major businesses, including shipping giant Maersk and drug manufacturer Merck.