Colonial Pipeline hackers claim they disbanded amid 'pressure' from US -- but experts aren't buying it

The hacking syndicate said to be responsible for the Colonial Pipeline has announced plans to "shut down" amid pressure from the United States government. However, according to The New York Times, cybersecurity experts are not sure they are buying that proclamation.

On Friday, May 14, DarkSide issued a Russian-written statement to the publication confirming their immediate plans. "Due to the pressure from the U.S., the affiliate program is closed," the statement said. "Stay safe and good luck."

While the group insists mounting pressure from the U.S. government influenced its decision to disband, they offered no specifications about the so-called pressure they are faced with. However, on Thursday, President Joe Biden did indicate that the government has not ruled out the possibility of a retaliation strike that could "disrupt their [DarkSide] ability to operate."

However, cybersecurity experts are not sure they believe the hacking syndicate. There are now concerns that the statement could simply be a ruse as the syndicate takes time to regroup and plot its next arrack. Based on the timeline of events leading up to the Colonial Pipelines hack, there is reason to believe the latest attack is only one of many others that could arise in the future.

"It's likely that these ransomware operators are trying to retreat from the spotlight more than suddenly discovering the error of their ways," said Mark Arena, chief executive of Intel 471. "A number of the operators will most likely continue to operate in their own close-knit groups, resurfacing under different aliases and ransomware names."

Initially, Colonial Pipeline claimed it would not pay out a ransom but ultimately made the decision to do so in an effort to regain control of its network and get fuel flowing again.

After further investigation, the cybersecurity firm Elliptic managed to trace some of the transaction histories for the Bitcoin wallet address used to receive the $5 million ransom. In addition to the six-figure payment Colonial Pipeline provided for the ransom last Saturday, address logs also showed that the organization had also received a total of $17.5 million from 21 Bitcoin wallets since March.

This leads cybersecurity analysts to believe the organization is responsible for a number of cyberattacks that have taken place since August and they may have used multiple Bitcoin wallets to receive ransoms for previous cyberattacks.

According to the San Francisco-based blockchain intelligence company, TRM Labs, "on Thursday, someone withdrew roughly 113.5 Bitcoin, or $5.6 million, from DarkSide's Bitcoin wallet and moved it into an unknown user's account" and the total appears to have "amounted to Colonial's 75 Bitcoin ransom plus that of a German company, Brenntag, which also opted to pay its digital extortionists."

Despite having transaction history, the decentralized nature of cryptocurrency has made it nearly impossible for TRM Labs to identify who is the actual owner of the Bitcoin wallet.