Bitcoins have begun to move into the online wallet of hackers who stole a vast trove of information from an Israeli insurance company, leading to fears that the group has begun to sell the data after the firm refused to pay it ransom money, according to Hebrew media reports Monday.
On Saturday night the Black Shadow account received a payment of five bitcoins, worth about $104,000, the Walla news website reported, along with a screen capture of the account showing the payment.
According to the report, the transfer was seen as a sign that the personal information of Israelis snatched from Shirbit Insurance last week was being sold to an unknown third party.
Due to the anonymous nature of bitcoin transfers, the holders of the account and whoever made the payment is hidden.
The hackers had said they would leak or sell the information they obtained in their cyberattack if Shirbit Insurance did not pay a ransom of 50 bitcoins ($960,000 or NIS 3.1 million) by Friday morning.
It said the ransom would double every 24 hours and after three days it would begin selling the data.
In the meantime Black Shadow leaked thousands of documents from the hoard to the internet as a warning that it would carry out its threat. Many of Shirbit’s clients are from the public sector and images of private documents released included the vehicle registration and credit card details of an employee at the President’s Residence, as well as personal correspondence and a marriage certificate. Earlier leaks had reportedly included the personal details of the president of the Tel Aviv District Court.
Shirbit has held discussions with the hackers via text message, but has refused to pay.
An emergency meeting Monday of the Knesset Science and Technology Committee to discuss the attack on Shirbit heard that there is no clear official state policy of paying a ransom for information.
“Responsibility for negotiations and the payment is solely the responsibility of the company,” Amit Gal, a senior official in the Capital Markets Authority, said at the meeting according to a statement from the Knesset.
The police’s Lahav 433 financial crimes unit has opened an investigation into the hack, Hebrew media reported Monday.
There is no indication that Black Shadow has any other information and there are signs the hack may have been carried out by Israelis, Channel 12 news reported.
One pointer was seen among the documents already published on the internet, which include an internal document regarding information security that Shirbit had sent to its workers. According to the report, the fact that the document has no personal details and was selected out of the masses of documents stolen appears to show that whoever posted it must understand Hebrew.
Black Shadow has published several screenshots of its negotiations with Shirbit and screen captures that appeared to show requests from other parties interested in the stolen information, including one that claimed to be from Iran.
In a Friday statement explaining its refusal to pay the demanded sum, Shirbit said that after negotiations all Thursday night, “all the relevant professionals came to the unanimous conclusion that cyberterrorism is aimed at causing strategic harm — and there is no financial motive behind it.”
The company appeared to insinuate that the attack was targeting Israel, rather than the company specifically. However, in an exchange with the Kan public broadcaster, a person claiming to be part of the group denied the claim.
“If we were the enemy of the state, we would sell the information to Israel’s enemies. So far we have not negotiated with anyone other than the company,” the person said.
News of the attack was announced in a joint statement last Tuesday when the Capital Markets Authority and the Israel National Cyber Directorate confirmed that there had been a cyberattack on Shirbit and that information had leaked in the breach.
The statement said that an investigation into a possible cyber incident had begun the night before amid suspicions of an attack on the company’s servers.
Black Shadow took responsibility for the attack, boasting of its success in a series of tweets in poorly written English that included images of some of the information taken, as well as technical details apparently intended to show the scale of the assault.
Shirbit specializes in real estate, auto and travel insurance. A month ago it won a bid to provide auto insurance for the country’s civil service employees during 2021, the Walla website reported.