JUNE 7, 2021
Federal authorities have recovered more than two million dollars in cryptocurrency paid in ransom to foreign hackers whose attack last month led to the shutdown of a major pipeline that provides nearly half the East Coast’s fuel, according to officials.
The seizure of funds paid by Colonial Pipeline to a Russian hacker ring, DarkSide, marks the first recovery by a new ransomware Justice Department task force. It follows a string of cyber attacks that panicked consumers and led President Biden to warn Russia that it needed to take “decisive action” against the criminal networks.
“Today we turned the tables on DarkSide,” Deputy Attorney General Lisa Monaco said, announcing the recovery on Monday afternoon. “The Department of Justice has found and recaptured the majority of the ransom” in the wake of last month’s attack.
The ransomware attack on Colonial in early May prompted the company to shut its pipeline operation for 11 days, causing panic buying that resulted in gasoline shortages in much of the southeastern U.S. The hackers locked up Colonial’s business computer networks by encrypting data on them, and demanded millions of dollars in ransom to unlock the system.
Armed with a warrant granted by a federal judge in the Northern District of California, the FBI on Monday seized proceeds from a digital “wallet” that held the ransom collected by the hackers, FBI Deputy Director Paul Abbate said. The ransom was paid in bitcoin, a form of cryptocurrency.
The warrant authorized seizure of 63.7 bitcoin, or $2.3 million at the current exchange rate.
The hackers demanded and were paid a ransom of 75 bitcoin on May 8, according to the warrant affidavit. On that date, the value of bitcoin was higher — worth about $4.3 million.
Colonial Pipeline CEO Joseph Blount told The Wall Street Journal last month that the firm paid the ransom. “I know that’s a highly controversial decision,” he said. “ … But it was the right thing to do for the country.”
On Monday, Blount issued a statement praising the FBI.
“We are grateful for their swift work and professionalism in responding to this event,” he said. “Holding cyber criminals accountable and disrupting the ecosystem that allows them to operate is the best way to deter and defend against future attacks of this nature.”
Blount said that when Colonial was hit by the cyber attack, it contacted the FBI field offices in Atlanta and San Francisco, as well as prosecutors in Northern California and Washington, D.C.
DarkSide operates under a ransomware-as-a-service model in which DarkSide provides the malware that a criminal affiliate can use to lock up data on a victim’s computer system. When the victim pays the ransom to free up the system, the affiliate keeps the vast majority of the payment, while DarkSide gets the rest.
In this case, about 85 percent of the payment was to have gone to DarkSide’s affiliate, said Tom Robinson, co-founder of Elliptic, a cryptocurrency analytics firm. Elliptic spotted the wallet suspected of holding Colonial’s ransom payment on May 14.
The 63.7 bitcoin were the affiliate’s share, said Robinson. It is not clear who has the rest of the proceeds, he said.
On May 13, DarkSide announced it was suspending its operation, that its servers had been “blocked” and funds from a payment server had been moved to “an unknown account.”
Those funds are still in that wallet, said Robinson, whose firm tracks cryptocurrency payments on a public digital ledger known as a “blockchain.” The ledger does not contain information identifying who controls the wallet.