A massive cryptocurrency payment totaling more than $25 million was transferred to a wallet linked to the BlackSuit ransomware group just two days after a devastating cyberattack paralyzed CDK Global's software systems, according to blockchain intelligence experts. The attack disrupted operations at approximately 15,000 car dealerships across the United States, marking one of the most significant cybersecurity incidents to impact the automotive industry.
Blockchain intelligence firm TRM Labs revealed that approximately 387 bitcoin, valued at around $25 million, was transferred to a wallet likely controlled by BlackSuit on June 21. The timing of this substantial payment strongly suggests that CDK Global may have paid a ransom to resolve the cyber incident, though it does not definitively confirm the payment's origin.
"Approximately 387 bitcoin, valued around $25 million, was transferred to a wallet likely controlled by BlackSuit on June 21," TRM Labs told CyberScoop. Despite mounting evidence of the payment, representatives from CDK Global and its parent company, Brookfield Business Partners, have remained silent on whether a ransom was actually paid.
"Approximately 387 bitcoin, valued around $25 million, was transferred to a wallet likely controlled by BlackSuit on June 21,"
By the Numbers
If confirmed, this payment would represent the second-largest ransomware payment on record, falling just short of the $40 million that CNA Financial Corp. paid in 2021. The incident would also continue a troubling trend in 2023, which has already witnessed another major ransom payment when UnitedHealth Group paid $22 million to attackers connected to the now-defunct ALPHV ransomware group.
Career Journey
The sophisticated money laundering operation that followed the payment reveals the organized nature of these cybercriminal enterprises. TRM Labs tracked how approximately $15 million was rapidly moved through a complex web of nearly 200 transactions immediately after the payment hit the BlackSuit wallet. The funds were then dispersed across more than 20 different addresses spanning five separate global exchanges, demonstrating classic money laundering techniques used by ransomware groups.
Additionally, over $6 million were transferred to more than 15 addresses across four global exchanges, with movements continuing as of TRM Labs' latest reports. The intricate financial choreography highlights the professional nature of modern ransomware operations and the challenges law enforcement faces in tracking stolen funds.
Particularly concerning is evidence suggesting a broader criminal network at play. One wallet involved in these transactions appears connected to an active BlackSuit affiliate, with researchers noting that "this address had received payments from several confirmed BlackSuit and Wizard Spider victims." Wizard Spider refers to a specific group of financially motivated cybercriminals believed to operate within the Russian cybercrime ecosystem, according to industry analysts.
An independent source corroborated the estimated $25 million payment to the BlackSuit-linked wallet. This confirmation coincided with a Bloomberg report revealing that the CDK Global hackers were demanding "tens of millions of dollars in ransom," suggesting the company was positioned to meet these demands.
"tens of millions of dollars in ransom,"
The cyberattack timeline began on June 19, when CDK Global first detected a cybersecurity incident and made the precautionary decision to shut down most of its systems. "This decision came after we detected a second incident that same day," explained Lisa Finney, CDK Senior Manager of External Communications. The company faced the challenging reality of a double-pronged attack, forcing them to take their critical systems offline to prevent further damage.
"This decision came after we detected a second incident that same day,"
By June 20, CDK Global's recovery efforts were showing progress. Tony Macrito, CDK Global's Senior Director of Communications, confirmed that all critical applications were back online, though the brief shutdown had already sent shockwaves throughout the automotive industry.
Impact and Legacy
The ripple effects of the attack extended far beyond CDK Global's immediate operations. At least six publicly traded companies in the auto dealership sector filed reports with the Securities and Exchange Commission stating that their business operations had been significantly disrupted due to the incident. The widespread impact underscores the automotive industry's heavy reliance on CDK Global's software infrastructure for everything from inventory management to customer transactions.
Interestingly, Brookfield Business Partners struck a more optimistic tone in a July 3 press release, expressing confidence that the cyber incident would not materially impact their business operations. This assessment came despite the SEC's requirement that companies conduct a "materiality determination" following ransomware attacks, emphasizing the need for transparency in cybersecurity incident aftermath.
"materiality determination"
This incident serves as a stark reminder of ransomware groups' growing sophistication and their strategic targeting of critical infrastructure sectors. The automotive industry's digital transformation, while improving efficiency and customer experience, has also created new vulnerabilities that cybercriminals are increasingly exploiting. The BlackSuit group's ability to demand and potentially receive such a substantial ransom payment demonstrates the severe financial pressure these attacks place on companies managing critical business infrastructure.
The CDK Global attack highlights the broader challenge facing American businesses as ransomware groups continue targeting sectors that underpin the economy's daily operations, from healthcare systems to automotive networks.
