The U.S. Department of Justice (DOJ) on Monday announced that it has seized 63.7 Bitcoins currently valued at approximately $2.3 million that individuals in a criminal hacking group known as ‘DarkSide’ had extorted from Colonial Pipeline in a ransomware attack last month.
For those unaware, a gang of hackers using the DarkSide ransomware variant had hacked into the computer system of Georgia-based Colonial Pipeline on May 7th causing days of fuel shortages across the U.S. East coast, increase in gasoline prices, panic buying, and chaos at airlines.
At the time of the hack, DarkSide had acknowledged the incident in a public statement.
“Our goal is to make money and not creating problems for society,” DarkSide wrote on its website. “We do not participate in geopolitics, do not need to tie us with a defined government and look for… our motives.”
To resolve the attack, Colonel Pipeline paid a ransom demand for approximately 75 Bitcoins worth more than $4 million on May 8th in order to resume access to its computer systems. It also quickly reported the matter to the Federal Bureau of Investigation (FBI).
The FBI was able to track multiple transfers of Bitcoin by reviewing the Bitcoin public ledger and identified that approximately 63.7 Bitcoins, representing the proceeds of the victim’s ransom payment, had been transferred to a cryptocurrency wallet in Russia.
The agency was allegedly able to gain access to the “private key” — the rough equivalent of a password or physical key — for one of the hacker gang’s Bitcoin wallets where they received payment from Colonial.
“Using law enforcement authority, victim funds were seized from that wallet, preventing Dark Side actors from using them,” FBI Deputy Director Paul Abbate said at the briefing.
The FBI declined to say precisely how it accessed the Bitcoin wallet nor did it share any information on how it got access to the private key.
“Today we turned the tables on DarkSide,” Deputy Attorney General Lisa Monaco for the U.S. DOJ said during a press briefing, adding that the money was seized via a court order.
She described the FBI-led operation as a victory and a representation of the Justice Department’s full powers.
“Following the money remains one of the most basic, yet powerful tools we have. Ransom payments are the fuel that propels the digital extortion engine, and today’s announcement demonstrates that the United States will use all available tools to make these attacks more costly and less profitable for criminal enterprises,” Monaco added.
“We will continue to target the entire ransomware ecosystem to disrupt and deter these attacks. Today’s announcements also demonstrate the value of early notification to law enforcement; we thank Colonial Pipeline for quickly notifying the FBI when they learned that they were targeted by DarkSide.”
“There is no place beyond the reach of the FBI to conceal illicit funds that will prevent us from imposing risk and consequences upon malicious cyber actors,” said Abbate.
“We will continue to use all of our available resources and leverage our domestic and international partnerships to disrupt ransomware attacks and protect our private sector partners and the American public,” he added.
The seizure warrant was authorized through the U.S. Attorney’s Office for the Northern District of California.
Joseph Blount, Chief Executive of the Colonial Pipeline Company thanked the FBI for its “swift work and professionalism” and for helping the company to recover the ransom.
“Holding cybercriminals accountable and disrupting the ecosystem that allows them to operate is the best way to deter and defend against future attacks,” Blount said in a statement.