Who’s Hiding Behind the “Pay2Key” Ransomware Group?

  • White-hat researchers have followed the money of four ransom payments to “Pay2Key”.
  • The actors have strong links with Iran, which makes sense considering their insistence on targeting Israeli firms.
  • The Iranian crypto exchange they’re using could be holding their identification details.

CheckPoint has been following “Pay2Key” closely since last week, trying to figure out whatever they can about the emerging ransomware group. As the actors managed to compromise a notable number of targets, received payments, and posted stolen data online, they have left some crumbles of evidence behind.

More specifically, CheckPoint researchers have managed to trace Bitcoin transactions and gather more clues about who could be behind the wallets with the help of the ‘Whitestream’ blockchain intelligence firm.

Source: CheckPoint

First of all, Pay2Key is clearly focused on Israeli targets, although they have had some victims from central Europe, too. Secondly, Pay2Key is no different from the “industry standard” of stealing and leaking sensitive data on a dedicated Onion domain. The most useful kind of evidence comes from the money routes, though, and the researchers had four individual cases of payment to analyze.

The payments went to Iranian cryptocurrency exchange ‘Excoino,’ which matches the assumptions made based on the insistence against Israel. The payment goes to the wallet ID provided in the ransom note, and then the actors transfer it to an intermediate wallet.

From there, the money goes through a third jump to a high-activity cluster wallet address. The researchers used a “Wallet Explorer” service to verify the link between each step and managed to develop confident ID linkages.

Source: CheckPoint

Since Excoino is a legitimate service, they require users to register using a valid Iranian phone number and ID/Melli code (national ID number). To trade in the platform, one would need to upload a copy of their ID card, so there can be no anonymous malicious activity there unless it goes unnoticed and unreported. Excoino urges people to report suspicious transactions to the Iranian Cyber Police for investigation, so this is why the CheckPoint research is so valuable in this case.

We now know that the actors are almost certainly based in Iran and that an Iranian-based exchange is involved. We also know that this platform could be holding the identification details of the actors.

Of course, stopping Pay2Key won’t stop ransomware trouble in Israel, as Iranian hackers are always active against Israeli companies. However, it is a form of reaction against crooks and proof of why white-hat research should never be considered futile.



How to Watch Chicago Blackhawks Games Online Without Cable

The Chicago Blackhawks are one of the most widely known teams in the NHL, with a lot of history and a fanbase...

How to Watch Pam & Tommy Online from Anywhere: Release Date, Cast, Plot, & Trailer

This biographical drama series surrounds the infamous controversial '90s tape of Motley Crue drummer Tommy Lee and then-wife actress Pamela Anderson that...

Attack On Titan Becomes Most “In-Demand” Series of 2021

Attack on Titan has indeed come a long way since the manga, by Hajime Isayama, first released in 2009. Of course, the...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari