Monitoring WannaCry hackers' bitcoin addresses in real time

[coinits]

For a global attack they have not collected a lot of bitcoin yet. Results as of 16:00 GMT

Address 1: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

live link: https://blockchain.info/address/12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

31 transactions = 4.65255659 BTC



Address 2: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

live link: https://blockchain.info/address/115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

27 transactions = 3.10004389 BTC



Wallet 3: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

live link: https://blockchain.info/address/13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

36 transactions = 6.53259945 BTC



~ 14.28 BTC x $1735.35 per BTC = $24,781 ransom paid thus far.



Add more addresses as you find them.

[Qunenin]

For a global attack they have not collected a lot of bitcoin yet. Results as of 16:00 GMT

Address 1: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

live link: https://blockchain.info/address/12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

31 transactions = 4.65255659 BTC



Address 2: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

live link: https://blockchain.info/address/115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

27 transactions = 3.10004389 BTC



Wallet 3: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

live link: https://blockchain.info/address/13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

36 transactions = 6.53259945 BTC



~ 14.28 BTC x $1735.35 per BTC = $24,781 ransom paid thus far.



Add more addresses as you find them.

As compare to a massive world wide attack, the amount collected so far is not as much as it should be.  I also wonder if the people after paying the ransom, were there computer back to normal or still they remain affected by virus ?

[coinits]

For a global attack they have not collected a lot of bitcoin yet. Results as of 16:00 GMT

Address 1: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

live link: https://blockchain.info/address/12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

31 transactions = 4.65255659 BTC



Address 2: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

live link: https://blockchain.info/address/115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

27 transactions = 3.10004389 BTC



Wallet 3: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

live link: https://blockchain.info/address/13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

36 transactions = 6.53259945 BTC



~ 14.28 BTC x $1735.35 per BTC = $24,781 ransom paid thus far.



Add more addresses as you find them.

As compare to a massive world wide attack, the amount collected so far is not as much as it should be.  I also wonder if the people after paying the ransom, were there computer back to normal or still they remain affected by virus ?

I assume the following:
- that some institutions reverted to clean backups
- there are more than 3 addresses
- spread was stopped by a blogger who discovered a kill switch in the virus (this has been verified) - https://www.theguardian.com/technology/2017/may/13/accidental-hero-finds-kill-switch-to-stop-spread-of-ransomware-cyber-attack

[Iranus]

Do people really not back up their files regularly?

I would assume that a huge part of the reason the thieves aren't getting as much money as we'd expect is because most people back up their files at least every month or so.  Institutions should back up their files much more regularly than that.

Unless there's very significant new sensitive information that needs decrypting, there's not much reason for people to pay such a big ransom.  If it was $20 instead, I would probably pay it anyway, but there's really no point.

[NeuroticFish]

If it was $20 instead, I would probably pay it anyway, but there's really no point.

Yes, that's why they don't really target individuals. But if they've found a couple of sloppy companies, jackpot!

I assume the following:
- that some institutions reverted to clean backups
- there are more than 3 addresses
- spread was stopped by a blogger who discovered a kill switch in the virus (this has been verified) - https://www.theguardian.com/technology/2017/may/13/accidental-hero-finds-kill-switch-to-stop-spread-of-ransomware-cyber-attack

There have to be more than 3 addresses. And it's Saturday, many companies cannot access their money until the banks open Monday. Only then we'll see how big the damage is...

[leopard2]

LOL hourly rate of hackers is not so good IMHO, maybe honest contract work would have been better... (they obviously have skills)

[FruitsBasket]

If it was $20 instead, I would probably pay it anyway, but there's really no point.

Yes, that's why they don't really target individuals. But if they've found a couple of sloppy companies, jackpot!

I assume the following:
- that some institutions reverted to clean backups
- there are more than 3 addresses
- spread was stopped by a blogger who discovered a kill switch in the virus (this has been verified) - https://www.theguardian.com/technology/2017/may/13/accidental-hero-finds-kill-switch-to-stop-spread-of-ransomware-cyber-attack

There have to be more than 3 addresses. And it's Saturday, many companies cannot access their money until the banks open Monday. Only then we'll see how big the damage is...

Do you really think that those big companies that are affected by the virus will be paying bitcoins to decrypt their infected files? I think they just get specialist to remove the ransomware, but I am not sure if that is even possible with this big infection from last week.

[Janation]

LOL hourly rate of hackers is not so good IMHO, maybe honest contract work would have been better... (they obviously have skills)

Maybe they are tired being bossed around and not satisfied with what they are earning. So, since they have skills, why not do something that will make them earn more than they usually do. But, they are wasting their skills making such crimes, they can do better than that.

[stripykitteh]

For a global attack they have not collected a lot of bitcoin yet. Results as of 16:00 GMT

Address 1: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

live link: https://blockchain.info/address/12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

31 transactions = 4.65255659 BTC



Address 2: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

live link: https://blockchain.info/address/115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

27 transactions = 3.10004389 BTC



Wallet 3: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

live link: https://blockchain.info/address/13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

36 transactions = 6.53259945 BTC



~ 14.28 BTC x $1735.35 per BTC = $24,781 ransom paid thus far.



Add more addresses as you find them.

That’s a pretty nice payday for not really doing anything all day. I am pretty sure that the hacker might’ve paid for the ransom software so he might be in the negative right now.
What is kind of surprising to me is that these people have Bitcoin already installed or they have already verified their profiles on Bitcoin Exchanges that allowed them to pay the ransom. That was really fast considering how Bitcoin is pretty new to the scene, somebody should fire the tech guy.

[crairezx20]

If it was $20 instead, I would probably pay it anyway, but there's really no point.

Yes, that's why they don't really target individuals. But if they've found a couple of sloppy companies, jackpot!

I assume the following:
- that some institutions reverted to clean backups
- there are more than 3 addresses
- spread was stopped by a blogger who discovered a kill switch in the virus (this has been verified) - https://www.theguardian.com/technology/2017/may/13/accidental-hero-finds-kill-switch-to-stop-spread-of-ransomware-cyber-attack

There have to be more than 3 addresses. And it's Saturday, many companies cannot access their money until the banks open Monday. Only then we'll see how big the damage is...

Do you really think that those big companies that are affected by the virus will be paying bitcoins to decrypt their infected files? I think they just get specialist to remove the ransomware, but I am not sure if that is even possible with this big infection from last week.

Ransomware honestly its so easy to remove there are many software that can remove those ransomeware upon experience this virus before by many laptops and computers when i was repairing their computer i notice that they are just hiding the files and only the created and copy of your files are in same folder that you can only seen if you turn of the hide system files..
Kaspersky is 1 of the tool that can recover your files from ransomware  this link may help you to recover all of your files from ransomware.
https://noransom.kaspersky.com/
many different ransomware so you can test them all to clean affected computer..

The other thing to make clean your computer is advanced hirens not a free 1 i think the hirens that i use for repairing by many years its i think hirens restored edition proteus.. this is not recommended for beginners . you can find this tool in piratebay..

[BitMaxz]

I think computer that has no anti virus can be affected easily most of those virus is from torrent and some files we are download so always check that you are using a good antivirus to protect your file..  i already experience my computer was affect the exe files almost all are affected but i just use and update my os and the internet security and fix my issue.

every time i open my computer there is a welcome note that i need to pay for the amount to recover all the files effected they said its not  a virus but they are giving a password to decrypt affected computer after payment..
But  never pay them because i know many ways to fix the computer.

[freebutcaged]

I think Windows is trying to take ransom from me for a few days when I open my laptop with Windows 10 installed which I downloaded from official MicroSoft source now I get a watermark note in bottom right corner that asks me to activate Windows, wtf is this related to the hacking currently?

[coinits]

If it was $20 instead, I would probably pay it anyway, but there's really no point.

Yes, that's why they don't really target individuals. But if they've found a couple of sloppy companies, jackpot!

I assume the following:
- that some institutions reverted to clean backups
- there are more than 3 addresses
- spread was stopped by a blogger who discovered a kill switch in the virus (this has been verified) - https://www.theguardian.com/technology/2017/may/13/accidental-hero-finds-kill-switch-to-stop-spread-of-ransomware-cyber-attack

There have to be more than 3 addresses. And it's Saturday, many companies cannot access their money until the banks open Monday. Only then we'll see how big the damage is...

Do you really think that those big companies that are affected by the virus will be paying bitcoins to decrypt their infected files? I think they just get specialist to remove the ransomware, but I am not sure if that is even possible with this big infection from last week.

If the files are truly encrypted, removing the ransomware will not get the files back. Unless there is a clean backup you either lose the data or pay the ransom, and there is no guarantee that the key to decrypt will be supplied.

[coinits]

For a global attack they have not collected a lot of bitcoin yet. Results as of 16:00 GMT

Address 1: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

live link: https://blockchain.info/address/12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

31 transactions = 4.65255659 BTC



Address 2: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

live link: https://blockchain.info/address/115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

27 transactions = 3.10004389 BTC



Wallet 3: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

live link: https://blockchain.info/address/13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

36 transactions = 6.53259945 BTC



~ 14.28 BTC x $1735.35 per BTC = $24,781 ransom paid thus far.



Add more addresses as you find them.

UPDATE: 02:15 GMT

Address 1: 39 transactions = 6.97303882 BTC
Address 2: 30 transactions = 3.64134512 BTC
Address 3: 35 transactions = 5.00218759 BTC

EDIT: How could an address grow in transactions and shrink in total BTC when no withdrawals have taken place? (see address #3)

[Korporal]

If it was $20 instead, I would probably pay it anyway, but there's really no point.

Yes, that's why they don't really target individuals. But if they've found a couple of sloppy companies, jackpot!

I assume the following:
- that some institutions reverted to clean backups
- there are more than 3 addresses
- spread was stopped by a blogger who discovered a kill switch in the virus (this has been verified) - https://www.theguardian.com/technology/2017/may/13/accidental-hero-finds-kill-switch-to-stop-spread-of-ransomware-cyber-attack

There have to be more than 3 addresses. And it's Saturday, many companies cannot access their money until the banks open Monday. Only then we'll see how big the damage is...

Do you really think that those big companies that are affected by the virus will be paying bitcoins to decrypt their infected files? I think they just get specialist to remove the ransomware, but I am not sure if that is even possible with this big infection from last week.

If the files are truly encrypted, removing the ransomware will not get the files back. Unless there is a clean backup you either lose the data or pay the ransom, and there is no guarantee that the key to decrypt will be supplied.

Not necessarily.
If your files are on magnetic HD and not on an SSD, you could try to recover encrypted files by using a decent file recovery program. As long as the encryption process doesn't do too many passes on the file location on the platter you "might" be able to recover the original version.
Haven't tried it but its worth a shot. What other options do you have?
I've recovered files deleted 8 years ago off a customers pc a few years ago. BTW, I was using forensic-level recovery programs tho.

[jaberwock]

Now how they will spend their hard earned hacking money, considering the addresses are known and probably are blacklisted everywhere?

[shinratensei_]

If it was $20 instead, I would probably pay it anyway, but there's really no point.

Yes, that's why they don't really target individuals. But if they've found a couple of sloppy companies, jackpot!

I assume the following:
- that some institutions reverted to clean backups
- there are more than 3 addresses
- spread was stopped by a blogger who discovered a kill switch in the virus (this has been verified) - https://www.theguardian.com/technology/2017/may/13/accidental-hero-finds-kill-switch-to-stop-spread-of-ransomware-cyber-attack

There have to be more than 3 addresses. And it's Saturday, many companies cannot access their money until the banks open Monday. Only then we'll see how big the damage is...

Do you really think that those big companies that are affected by the virus will be paying bitcoins to decrypt their infected files? I think they just get specialist to remove the ransomware, but I am not sure if that is even possible with this big infection from last week.

Ransomware honestly its so easy to remove there are many software that can remove those ransomeware upon experience this virus before by many laptops and computers when i was repairing their computer i notice that they are just hiding the files and only the created and copy of your files are in same folder that you can only seen if you turn of the hide system files..
Kaspersky is 1 of the tool that can recover your files from ransomware  this link may help you to recover all of your files from ransomware.
https://noransom.kaspersky.com/
many different ransomware so you can test them all to clean affected computer..

The other thing to make clean your computer is advanced hirens not a free 1 i think the hirens that i use for repairing by many years its i think hirens restored edition proteus.. this is not recommended for beginners . you can find this tool in piratebay..

Are you sure? In this time I was assuming if Wannacry is a new ransom and it's not registered on the database.
The ransom must be registered on the database and the software can be identifying the kind of ransom and try to recover the computer. I can't get your point but it seems impossible right now. Because WannaCry has made on 14 April and it's new ransom.

[coinits]

Question: Once you pay the ransom, how does the hacker know it was you who paid?

I missed that part. I mean people are sending their BTC to them. How are they tying the payment to the computer?

[lausam]

To get anything will be done in various ways for the sake of individual pleasure .. that's the brightness that does not care about each other ..

[Wendigo]

Now how they will spend their hard earned hacking money, considering the addresses are known and probably are blacklisted everywhere?

Putting the coins through a mixing service most likely.