In this article, we are going to witness a case study where a Ransomware Group had lost their “hard-earned” ransom amount to another Crypto Exchange Heist.
INTRODUCTION
On January 26th, 2025; Babuk the popular ransomware made a comeback by announcing their Babuk 2.0 Project.
Among the contacts and other details, interestingly I found their Bitcoin Wallet Address as:
BABUK Wallet: 1JdvS63gBEFH3auYStgeSB3Q2xMdi5cZiF
Babuk has been using Indodax Exchange, which is the biggest Crypto Trading Application in Indonesia 🇮🇩
Upon checking the balance, we can see the group had made about $21,964 (alone in this wallet).
Babuk Group regularly transfers their money to a primary Hot wallet that belongs to Indodax Exchange i.e. 1JUToCyRL5UwgeucjnFAagKs4v1YqhjT1d
The first transfer happened on 20th August 2023 by transferring $504 to Indodax Hot Wallet.
In total, the group had moved about $7,017 to this Hot Wallet. The last transaction from Babuk (to this wallet) was dated on 27th April 2024.
DIVING INTO: 1JUToCyRL5UwgeucjnFAagKs4v1YqhjT1d
- In June 2019, this same wallet was associated with a Ransomware Incident in June 2019.
- Later, the same address was used in multiple illegal/shady businesses such as Innovamine in 2019 (whose owner was a Latvian 🇱🇻 National named Ivars Auzins who was busted by US Security Exchange).
- In 2021, a fake Crypto Mining Product bitmain.shopping was also associated with the same Bitcoin Wallet.
In January 2022, the same wallet appeared on another fraudulent service Westfarmersglobal.com.
INDODAX HACKED: BABUK FUNDS STOLEN
On September 11, 2024; the company made an official announcement about the Security Incident and about ~$20M were drained-out from several Indodax Hot Wallets by the Hackers.
NOTE: Among them, the regular Hot Wallet of Indodax was also present which was regularly used by Babuk to transfer its funds.
WHAT NEXT?
Soon after the incident, the Babuk Group had lost their primary saving wallet to the hack.
The group moved their next ransom funds to another Indodax wallet: bc1qvnk8xkw9esmujpjz00hs4706j3803s9nf5z2px
NOTE: As the first wallet was compromised and the funds were drained out. This possibly points the fingers to 🇰🇵 DPRK Activity (North Korea).
Upon analyzing the transaction, it is found that Babuk Ransomware Group had moved about $1,777 and the final transaction was recorded on 17th January 2025.
NOTE: This new Indodax Hot Wallet was introduced in 2022 with the adoption of Proof of Reserve by the company itself.
CONCLUSION
Either this could be the wallet maintained by the group to deposit funds within Indodax Exchange, as there could be any shady practice ongoing from which the group is getting benefited. There is also chance that the group made this wallet as secondary or ad-hoc wallet to receive smaller funds from their victims.
In any case, when an Exchange/App gets hacked/drained-out; the money also gets disappeared with the hack. Though there may be a Cyber-Insurance covered, the chances of getting back the funds are slim in such big hacks.
NOTE:- The article is purely an Individual Research that belongs to THE RAVEN FILE and is not subjected to be used/published anywhere without the Author’s consent.
Follow me on X/Twitter for interesting DarkWeb/InfoSec Short findings! 😉
Leave a Reply