It’s been 12 weeks since the WannaCry ransomware attack infected computers across the globe, encrypting their files and charging their owners $300 to $600 for the keys to get them back. In total, the hackers made about $140,000 in bitcoin from the operation, which on May 12 forced emergency rooms in the U.K. to turn away patients, and shut down a Spanish telecommunications company and a Russian cellphone operator.
Since the attack, that $140,000 sat untouched, spread across the three bitcoin wallets where victims were instructed to send their ransom payments. Few expected the money would ever move out of the accounts, as they were surely watched by law-enforcement agencies around the world. But on Wednesday night, the money began to move.
A Twitter bot set up by Quartz to watch the bitcoin accounts, which are publicly accessible on the blockchain, picked up the first withdrawals at 11:10pm ET:
Those first transactions made up about $70,000, half of the total the accounts held. Five minutes later, there were another three withdrawals, which emptied the accounts:
The money was likely sent through a bitcoin mixer, a process that obscures its trail from bitcoin to hard currency. The process is a sort of laundering operation for digital currency. The general consensus among security experts and government agencies is that North Korea was behind the WannaCry attack, and that the operation was more political than money-driven.
Correction: There were a total of six withdrawals from the WannaCry bitcoin accounts; a previous version of this article said there were seven.