The withdrawals were spotted Thursday by a Twitter bot called @actual_ransom, set up by Quartz reporter Keith Collins to keep an eye on those wallets. As Collins noted, “few expected” that those behind the WannaCry attacks would ever try to move their money, as they only used a few bitcoin addresses to which people subsequently paid a lot of attention.

WannaCry is what’s known as ransomware – malware that infects a computer and encrypts files, which can supposedly only be decrypted once the victim pays a ransom. In this case, the ransom for each infection was $300, to be paid in bitcoin.

Get Data Sheet, Fortune’s technology newsletter.

The list of WannaCry victims was vast, ranging from hospitals in the U.K.’s National Health Service to Honda’s car factories. Subsequent research showed that almost all the victims were running Windows 7. WannaCry was in part designed to exploit a flaw, found in many versions of Microsoft’s operating system, that had been exposed through a leak from the U.S. National Security Agency (NSA).

Read: A Single Extreme Cyberattack Could Cost the U.S. More than Hurricane Katrina

Cybersecurity firm Symantec said it was likely that North Korean hackers were behind the attack. Considering the number of computers affected by the attack, the overall haul was pretty small.

Collins theorized that the money withdrawn on Thursday, in seven separate transactions, may go through a “bitcoin mixer” in order to obfuscate which funds are heading where. The bitcoin ecosystem is based on a public ledger, so transactions are inherently public, but some people run their money through high-volume accounts to try and counter this transparency.