Feds Seize Most of Ransom Paid in Colonial Pipeline Ransomware Attack

The Department of Justice has seized $2.3 million in crytocurrency paid to the DarkSide group during the Colonial Pipeline ransomware attack.

The cryptocurrency represents most of the proceeds of a May 8 ransom payment to DarkSide. Colonial Pipeline is the largest refined products pipeline in the United States.

The Colonial Pipeline ransomware attack pushed gas prices higher and disrupted supply in the eastern United States.

Laurel Beeler, U.S. magistrate judge for the Northern District of California, authorized the seizure warrant.

Lisa Monaco is deputy attorney general for the Justice Department. She said on Monday “we turned the tables on DarkSide.”

DoJ’s Lisa Monaco

“Following the money remains one of the most basic, yet powerful tools we have,” she said. “Ransom payments are the fuel that propels the digital extortion engine. And today’s announcement demonstrates that the United States will use all available tools to make these attacks more costly and less profitable for criminal enterprises. We will continue to target the entire ransomware ecosystem to disrupt and deter these attacks. Today’s announcements also demonstrate the value of early notification to law enforcement.”

Colonial PipeLine-FBI Cooperation

On May 7, Colonial Pipeline reported to the FBI that its computer network was accessed by DarkSide, and that it had received and paid a ransom demand for about 75 bitcoins.

By reviewing the bitcoin public ledger, law enforcement tracked multiple transfers of bitcoin and identified about 63.7 bitcoins. That represents the proceeds of the victim’s ransom payment. It had been transferred to a specific address, for which the FBI has the “private key,” or the rough equivalent of a password needed to access assets accessible from the specific bitcoin address.

This bitcoin represents proceeds traceable to a computer intrusion and property involved in money laundering.

The special prosecutions section and asset forfeiture unit of the U.S. Attorney’s Office for the Northern District of California is handling the seizure, with significant assistance from the Department of Justice criminal division’s money laundering and asset recovery section and computer crime and intellectual property section, and the national security division’s counterintelligence and export control section.

Disrupting Ransomware Attacks

Paul Abbate is deputy director of the FBI.

“There is no place beyond the reach of the FBI to conceal illicit funds that will prevent us from imposing risk and consequences upon malicious cyber actors,” he said. “We will continue to use all of our available resources, and leverage our domestic and international partnerships to disrupt ransomware attacks and protect our private sector partners and the American public.”

Anurag Gurtu is StrikeReady‘s chief product officer.

“Trying to determine who holds the crypto wallet is a wild goose chase,” he said. “There is no bitcoin address registry that lists the owners of every address. Identifying the owner of that address requires knowing where you got it from. But even then, it’s the end of the road.”