More than £100,000 of digital currency bitcoin paid to hackers by victims of the WannaCry ransomware attack has been withdrawn from their online wallets.
The cyber attack struck the NHS in May, as well as hundreds of other businesses worldwide, causing days of disruption by locking users out of their files and demanding bitcoin payments in order to release them.
The new bitcoin activity was spotted by a Twitter bot - created by Quartz journalist Keith Collins - to track activity around the digital wallets linked to WannaCry.
The bot recorded a series of withdrawals from the wallets on Thursday, and bitcoin monitoring sites now show all of the wallets known to be linked to the attack as empty.
Every bitcoin transaction is publicly visible, but account holders themselves are anonymous.
No one has officially claimed responsibility for the WannaCry attack, but some experts have linked it to Lazarus, the group also linked with the Sony Pictures hack in 2014.
At the time of the WannaCry attack, victims were asked to pay around £230 in the virtual currency in order to regain control of their systems.
However, cyber security experts advised victims not to pay, as it could encourage other cyber criminals and would not guarantee access was restored.
Some experts have suggested the hackers will now use a 'mixer', where the bitcoin is broken up and scattered through a wider series of payments, in order to make it harder to trace.
Ilia Kolochenko, chief executive of cyber security firm High-Tech Bridge said: "Professional cyber criminals have well-established contacts with organised crime, financial institutions and even law enforcement agencies.
"It's a not a big problem to find a virtually untraceable way for bitcoin laundering. A lot of amateur cyber criminals were traced by various mistakes when they were trying to 'cash out', but professionals have different ways to stay in the shadows."