The US Department of Justice (DOJ) has successfully recovered US$2.3 million (€1.89 million) of the US$4.4 million ransom paid to the Russian-linked hacker group DarkSide by Colonial Pipeline.
DarkSide shut down the Colonial Pipeline, the largest fuel pipeline in the US which carries around 45% of the US East Coast’s fuel needs, on 7 May, after stealing almost 100 GB of data from the company and locking its computer systems. The shutdown triggered panic buying and fuel shortages. Colonial managed to manually restart Line 4 on 10 May 2021, but the pipeline did not return to normal operations until 15 May 2021. CEO Joe Blount confirmed in an interview with National Public Radio (NPR) in the US that Colonial had paid the Bitcoin ransom demanded by DarkSide as ‘it was the right decision to make for the country.’
The DOJ has seized 63.7 bitcoins from DarkSide, after a seizure warrant was authorised by the Honorable Laurel Beeler, US Magistrate Judge for the Northern District of California. How exactly the bitcoins were recovered is not clear, but the DOJ says that agents were able to track bitcoin transfers representing the ransom payment and identify a specific address to where they had been transferred. The Federal Bureau of Investigation (FBI) had the ‘private key’, the equivalent of a password, for the address, and could access the bitcoin.
The Special Prosecutions Section and Asset Forfeiture Unit of the US Attorney’s Office for the Northern District of California is handling the seizure, assisted by the DOJ Criminal Division’s Money Laundering and Asset Recovery Section and Computer Crime and Intellectual Property Section, and the National Security Division’s Counterintelligence and Export Control Section. The seizure was coordinated by the DOJ’s Ransomware and Digital Extortion Task Force. The bitcoin recovered may be held as proceeds of crime.
‘Following the money remains one of the most basic, yet powerful tools we have. Ransom payments are the fuel that propels the digital extortion engine, and today’s announcement demonstrates that the United States will use all available tools to make these attacks more costly and less profitable for criminal enterprises. We will continue to target the entire ransomware ecosystem to disrupt and deter these attacks. Today’s announcements also demonstrate the value of early notification to law enforcement; we thank Colonial Pipeline for quickly notifying the FBI when they learned that they were targeted by DarkSide,’ says Deputy Attorney General Lisa Monaco.
FBI deputy director Paul Abbate says that the recovery of the bitcoins shows that ‘there is no place beyond the reach of the FBI to conceal illicit funds that will prevent us from imposing risk and consequences upon malicious cyber actors.’
In a statement, Blount thanks the FBI for their ‘swift work and professionalism’, and says that holding criminals responsible and disrupting the ecosystem is the best way to prevent future attacks. He also stressed the role the private sector will play in terms of investment in defences.
‘When Colonial was attacked on May 7, we quietly and quickly contacted the local FBI field offices in Atlanta and San Francisco, and prosecutors in Northern California and Washington DC to share with them what we knew at that time. The Department of Justice and FBI were instrumental in helping us to understand the threat actor and their tactics. Their efforts to hold these criminals accountable and bring them to justice are commendable,’ he says.
He adds that Colonial will continue to share intelligence and learnings with federal agencies and that the company’s goal is to help its critical infrastructure peers to strengthen their defences against cyber attacks.