Since the DarkSide account was opened in March, Elliptic said, it had received $17.5 million from 21 Bitcoin wallets, indicating the number of ransoms it had collected just this spring. Cybersecurity analysts assess that the group has been active since at least August, and has most likely used a number of different Bitcoin wallets to receive ransoms.

But on Thursday, someone withdrew roughly 113.5 Bitcoin, or $5.6 million, from DarkSide’s Bitcoin wallet and moved it into an unknown user’s account, according to TRM Labs, a San Francisco blockchain intelligence company. The sum amounted to Colonial’s 75 Bitcoin ransom plus that of a German company, Brenntag, which also opted to pay its digital extortionists, TRM Labs said.

To whom that other account belongs is yet another plot twist in the hacking episode.

“It’s hard to speculate,” Esteban Castaño, a co-founder of TRM Labs, said in an interview Friday. He noted that whoever moved DarkSide’s winnings would have had access to the group’s private key to its Bitcoin wallet.

“The question is where were those private keys stored?” Mr. Castaño said. “Were they on some server that someone else got ahold of? Or did DarkSide initiate the transfer themselves?”

The intense scrutiny that followed the Colonial Pipeline attack has clearly unsettled ransomware groups. This week, the operators behind two major Russian-language ransomware platforms, REvil and Avaddon, announced strict new rules governing the use of their products, including bans on targeting government-affiliated entities, hospitals or educational institutions.

The administrator of XSS, a popular Russian-language cybercrime forum, announced an immediate ban on all ransomware activity on the forum, citing, among other things, the bad press associated with the industry. In a statement posted in the forum, the administrator called the attention a “critical mass of harm, nonsense, hype and noise,” saying even the spokesman for President Vladimir V. Putin of Russia had weighed in on the Colonial Pipe attack. (The spokesman, Dmitri S. Peskov, denied that the Kremlin had been involved in the attack on the pipeline.)

“The word ransom has become associated with a whole series of unpleasant things — geopolitics, blackmail, government cyberattacks,” the XSS administrator wrote. “This word has become dangerous and toxic.”