'Exit scam' - hackers that hit UnitedHealth pull disappearing act

FILE PHOTO: The corporate logo of the UnitedHealth Group appears on the side of one of their office buildings in Santa Ana, California

By James Pearson and Christopher Bing

WASHINGTON (Reuters) -The hackers responsible for the breach at UnitedHealth Group appear to have pulled a disappearing act on Tuesday, leaving their cybercriminal associates in the lurch and replacing their old website with a bogus statement from law enforcement.

The U.S. insurer disclosed on Feb. 21 that Blackcat hacking gang - also known as ALPHV - had perpetrated a cyberattack on its technology unit Change Healthcare, causing disruptions across the U.S. healthcare system.

A message posted to Blackcat's website said it had been impounded "as part of a coordinated law enforcement action" by U.S. authorities and other law enforcement agencies. Among the logos of non-American agencies involved were those of Europol and Britain's National Crime Agency.

The FBI declined comment and Europol did not return messages, but a National Crime Agency spokesperson said: "I can confirm any recent disruption to ALPHV infrastructure is not a result of NCA activity."

Blackcat has not responded to Reuters requests for comment in several days.

Security experts said the law enforcement denial and other clues made it look like the hackers had simply decided to shut up shop.

"This appears to be a classic exit scam," said researcher Will Thomas. In an exit scam, hackers pretend to be knocked out of commission only to quietly pocket their partners' money and start over under a new name.

Thomas said Blackcat was already believed to be a rebrand of a previous hacker group dubbed DarkSide.

"It would not be a surprise if they return once more in the not-too-distant future," he said.

Even before the seizure notice, there were signs of something unusual following the intrusion at the tech unit of UnitedHealth, which has caused serious disruption across the United States.

Last week Blackcat posted a message saying it had stolen millions of sensitive records from UnitedHealth, only to delete the claim without explanation.

On Sunday, someone posting to a hacker forum alleged that the gang had cheated them out of their share of the $22 million ransom that UnitedHealth had allegedly paid to restore its systems.

UnitedHealth had not commented on whether it paid a ransom, and did not return a message on Tuesday seeking comment.

(Reporting by James Pearson in London, Christopher Bing and Raphael Satter in Washington, and Zeba Siddiqui; writing by Raphael Satter; editing by Jonathan Oatis and Kevin Liffey)