DOJ Seizes $3 Million in Cryptocurrency From Hackers After Colonial Pipeline Cyberattack

DOJ Seizes $3 Million in Cryptocurrency From Hackers After Colonial Pipeline Cyberattack
Screenshot: Lucas Ropek/U.S. Justice Department

U.S. federal agents have tracked and seized over half of the $US4.4 ($6) million ransom paid by Colonial Pipeline to the cybercriminal gang DarkSide following May’s catastrophic cyberattack, the U.S. Justice Department has announced.

The operation was disclosed at a press conference Monday, during which Deputy Attorney General Lisa O. Monaco said that the action had been coordinated with the help of the Justice Department’s newly created ransomware task force. In an associated press release, the Justice Department said that agents were able to track “multiple transfers of bitcoin” which led them to the discovery of a crypto wallet holding “approximately 63.7 bitcoins,” or approximately $US2.3 ($3) million. The “FBI has the ‘private key,’ or the rough equivalent of a password needed to access assets accessible from the specific Bitcoin address,” officials said.

The multi-million dollar payment was made by Colonial to DarkSide via Bitcoin, not long after the gang perpetrated a ransomware attack on the energy company’s network — temporarily crippling its operations and threatening a mini-energy crisis throughout the Southeast.

“The sophisticated use of technology to hold businesses — and even whole cities — hostage for profit is decidedly a 21st-century challenge. But the old adage ‘follow the money’ still applies,” said Monaco, during Monday’s press conference. “Ransom payments are the fuel that propels the digital extortion engine, and today’s announcement demonstrates that the United States will use all available tools to make these attacks more costly and less profitable for criminal enterprises. We will continue to target the entire ransomware ecosystem to disrupt and deter these attacks.”

It’s unclear how the FBI ultimately got ahold of the key to DarkSide’s crypto wallet — or why, over a month later, the ransom hadn’t yet been transferred into fiat via a crypto exchange or dark market. However, CNN reports that after paying DarkSide, Colonial also took “early steps to notify the FBI and followed instructions that helped investigators track the payment to a cryptocurrency wallet used by the hackers, believed to be based in Russia.” We don’t have details on whether those steps ultimately helped law enforcement to track and seize the payment after it was made.

The announcement of the asset seizure — one of the largest ever connected to a ransomware attack — comes as the federal government has signalled a much more targeted, strategic, and comprehensive approach to fighting the ransomware epidemic currently embroiling the country. Just last week, the Justice Department announced a new national strategy for investigating and pursuing leads in ransomware attacks.

“There is no place beyond the reach of the FBI to conceal illicit funds that will prevent us from imposing risk and consequences upon malicious cyber actors,” said FBI Deputy Director Paul Abbate, during Monday’s press conference. “We will continue to use all of our available resources and leverage our domestic and international partnerships to disrupt ransomware attacks and protect our private sector partners and the American public.”