Developing: Someone claiming to be an “affiliate plus” for AlphV claims they were responsible for the Change Healthcare attack but that AlphV stole the payment Change Healthcare had made and suspended the affiliate’s account.
The affiliate’s claims appeared on Ramp Forum and have been circulating since then. The post can be seen below, via @vx-underground:
So Change Healthcare reportedly paid $22 million to get a decryptor and to get their data deleted but a copy of the data is still in the hands of the affiliate who did not receive their share of the payment. The affiliate provided the exact wallet address in their post.
DataBreaches was able to reach a now-former admin of AlphV. They informed DataBreaches that they had nothing to do with the Change Healthcare attack or aftermath, and they have now left AlphV after they, too, were locked out of some things. They confirmed that the admin(s) had stolen the affiliate’s funds and also confirmed that Change Healthcare had been given a decryptor after they paid. The problem now for Change, the former admin said, is the data.
A re-branding is pending, the individual said, adding that “lots” of listings on the current AlphV site are fakes. When asked which are fakes, they named Dragos, Tripalti, and “some insurance companies.”
According to this source, we should expect to see more victims re-extorted.
After AlphV was taken down in December, it tried to recruit new affiliates by offering them “Affiliate Plus” status — i.e., a bigger share of any payments.
“I guess LB was the safer option after all,” they added.
DataBreaches reached out to Change Healthcare to ask if they would confirm or deny the affiliate’s allegations about their payment and the decryptor, but they would only respond, “Right now I can share that we are focused on the investigation.”
This post was updated at 9:50 pm to add Change Healthcare’s response to inquiries.