Many expected the funds to stay put due to scrutiny.
Remember the WannaCry cyber-crimewave that infected hundreds of thousands of computers around the world a few months ago? The proceeds of that crime – around $140,000 worth of bitcoins – have finally been withdrawn from the attackers’ virtual wallets.
The withdrawals were spotted Thursday by a Twitter bot called @actual_ransom, set up by Quartz reporter Keith Collins to keep an eye on those wallets. As Collins noted, “few expected” that those behind the WannaCry attacks would ever try to move their money, as they only used a few bitcoin addresses to which people subsequently paid a lot of attention.
WannaCry is what’s known as ransomware – malware that infects a computer and encrypts files, which can supposedly only be decrypted once the victim pays a ransom. In this case, the ransom for each infection was $300, to be paid in bitcoin.
Get Data Sheet, Fortune’s technology newsletter.
The list of WannaCry victims was vast, ranging from hospitals in the U.K.’s National Health Service to Honda’s car factories. Subsequent research showed that almost all the victims were running Windows 7. WannaCry was in part designed to exploit a flaw, found in many versions of Microsoft’s operating system, that had been exposed through a leak from the U.S. National Security Agency (NSA).
Collins theorized that the money withdrawn on Thursday, in seven separate transactions, may go through a “bitcoin mixer” in order to obfuscate which funds are heading where. The bitcoin ecosystem is based on a public ledger, so transactions are inherently public, but some people run their money through high-volume accounts to try and counter this transparency.