Federal agents have tracked and seized over half of the $4.4 million ransom paid by Colonial Pipeline to the cybercriminal gang DarkSide following May’s cyberattack, the U.S. Justice Department announced Monday.
At a press conference, Deputy Attorney General Lisa O. Monaco said that the operation was coordinated with the help of the Justice Department’s newly created ransomware task force and that the investigation had effectively recovered a majority of the multi-million dollar crypto payment. In a press release, the DOJ said that agents were able to track “multiple transfers of bitcoin” which led them to the discovery of a crypto wallet holding “approximately 63.7 bitcoins,” or approximately $2.3 million. The “FBI has the ‘private key,’ or the rough equivalent of a password needed to access assets accessible from the specific Bitcoin address,” officials said.
“The sophisticated use of technology to hold businesses—and even whole cities—hostage for profit is decidedly a 21st-century challenge. But the old adage ‘follow the money’ still applies,” said Monaco, during Monday’s presser. “Ransom payments are the fuel that propels the digital extortion engine, and today’s announcement demonstrates that the United States will use all available tools to make these attacks more costly and less profitable for criminal enterprises. We will continue to target the entire ransomware ecosystem to disrupt and deter these attacks.”
The Colonial Pipeline ransomware attack, which took place on May 7th, not only temporarily crippled the operations of one of America’s largest oil companies; it also spurred a mini-energy crisis throughout the Southeast, while also engendering a large political response and alleged turmoil within the criminal underworld.
It’s unclear how the FBI ultimately got ahold of the key to DarkSide’s crypto wallet—or why, over a month later, the ransom hadn’t yet been transferred into fiat via a crypto exchange or dark market. However, CNN reports that after paying DarkSide, Colonial also took “early steps to notify the FBI and followed instructions that helped investigators track the payment to a cryptocurrency wallet used by the hackers, believed to be based in Russia.” We don’t have details on how exactly those steps ultimately helped law enforcement to track and seize the payment after it was made.
The announcement of the asset seizure comes as the federal government has signaled a much more targeted, strategic, and comprehensive approach to fighting the ransomware epidemic currently embroiling the country. Just last week, the Justice Department announced a new national strategy for investigating and pursuing leads in ransomware attacks.
“There is no place beyond the reach of the FBI to conceal illicit funds that will prevent us from imposing risk and consequences upon malicious cyber actors,” said FBI Deputy Director Paul Abbate, during Monday’s press conference. “We will continue to use all of our available resources and leverage our domestic and international partnerships to disrupt ransomware attacks and protect our private sector partners and the American public.”