Thursday, June 1, 2023 | Back issues
Courthouse News Service Courthouse News Service

Even Bitcoin Leaves a Trail: DOJ Seizes $2.3M Paid to Pipeline Hackers

The Justice Department announced the recovery Monday of most of the bitcoin paid by Colonial Pipeline after an April ransomware attack.

The FBI cracked the password to the Bitcoin account of the Colonial Pipeline hackers. 

FILE - In this May 12, 2021, file photo, the entrance of Colonial Pipeline Company in Charlotte, N.C. U.S. pipeline operators will be required for the first time to conduct a cybersecurity assessment under a Biden administration directive to be issued Thursday in response to the ransomware hack that disrupted gas supplies in several states this month. (AP Photo/Chris Carlson, File)

WASHINGTON (CN) — The Justice Department announced the recovery Monday of most of the bitcoin paid by Colonial Pipeline after an April ransomware attack. 

Deputy Attorney General Lisa Monaco lauded the $2.3 million development during a press conference late Monday, calling it a victory of traditional law enforcement strategies against the “sophisticated use of technology to hold businesses, and even hold cities, hostage for profit.”

“Following the money remains one of the most basic, yet powerful tools we have,” Monaco said. “Ransom payments are the fuel that propels the digital-extortion engine, and today’s announcement demonstrates that the United States will use all available tools to make these attacks more costly and less profitable for criminal enterprises.” 

Upon discovering the infiltration early last month, Colonial Pipeline shut down operations for the first time in its 57-year history, triggering a nationwide gas shortage that ended when it paid a $4.4 million ransom to the hackers on May 8.

FBI investigators attributed the attack to the Russia-linked hacker group called DarkSide, saying it broke into Colonial Pipeline's internal networks using a virtual private network account on April 29 and left a ransom note demanding cryptocurrency that was discovered one week later by a Colonial employee.

Law enforcement traced approximately 63.7 bitcoins to a specific web address in the ensuing weeks, then executed a seizure warrant through the Northern District of California to recover the assets. Because the price of bitcoin dropped significantly in the interim, however, what should have been 85% of the total ransom paid amounted today to just $2.3 million. The cryptocurrency-tracking firm Elliptic says this was the full take of the affiliate that carried out the attack, while the ransomware software provider DarkSide would have gotten the remaining 15%.

“For financially motivated cyber criminals, especially those presumably located overseas, cutting off access to revenue is one of the most impactful consequences we can impose,” FBI Deputy Director Paul Abbate explained at Monday's press conference.

He said that the FBI had been investigating DarkSide since 2020, and that it seized the ransom payment from a Bitcoin wallet associated with the group. 

Abbate said the speed with which businesses report cyberattacks to law enforcement is key in minimizing damage. “When we have victims willing to share information, to further our collective efforts against cyber adversaries, we can have immediate permanent effect on ransomware actors,” he said. 

Stephanie Hinds, acting U.S. attorney for the Northern District of California, said that the government needs to “continue improving the cyber resiliency of our critical infrastructure” to prevent another disruption in U.S. supply chains. 

Monaco only issued new guidance for investigating ransomware attacks a week earlier. The deputy attorney general issued a clearer warning directly to U.S. businesses: “Pay attention now. Invest resources now,” she said. “Failure to do so could be the difference between being secure now or a victim later.” 

Read the Top 8

Sign up for the Top 8, a roundup of the day's top stories delivered directly to your inbox Monday through Friday.