US recovers part of multi-million ransom paid to Colonial Pipeline hackers

Last month, America's largest fuel pipeline suffered a major cyber attack that caused fuel shortages and price increases across the country

Colonial Pipeline reportedly paid about 75 Bitcoin to hackers to regain control of its systems. EPA
Powered by automated translation

The US Department of Justice has recovered millions of dollars in cryptocurrency paid to DarkSide, the criminal group behind the cyber attack on Colonial Pipeline, the country’s largest fuel pipeline.

Investigators have recovered 63.7 Bitcoin valued at about $2.3 million, the department said in a statement.

“Ransom payments are the fuel that propels the digital extortion engine ... [The seizure] demonstrates that the US will use all available tools to make these attacks more costly and less profitable for criminal enterprises,” said deputy attorney general Lisa Monaco.

The Justice Department will continue to focus on "the entire ransomware ecosystem to disrupt and deter these attacks", with the seizure demonstrating the importance of early notification of law enforcement authorities, she said.

“We thank Colonial Pipeline for quickly notifying the FBI when they learnt that they were targeted by DarkSide,” said Ms Monaco.

Colonial, which suffered a major cyber attack that caused fuel shortages and price increases across the US last month, reported the incident to the FBI and paid a ransom of about 75 Bitcoin to regain control of its systems.

“We will continue to use all of our available resources and leverage our domestic and international partnerships to disrupt ransomware attacks and protect our private sector partners and the American public,” said FBI deputy director Paul Abbate.

Joseph Blount, chief executive of Colonial Pipeline, told The Wall Street Journal that he approved the ransom payment because his employees did not know how bad the breach was and how long would it take to resume pipeline supplies.

After the attack, DarkSide reportedly shut down its operations because of “pressure” from the US government.

The group's name-and-shame blog, ransom collection website and content delivery network were seized while funds from their cryptocurrency wallets were transferred to unknown accounts by unidentified entities, DarkSide said in a message shared on several cyber crime forums and hacking websites.

Industry experts said cyber attacks on energy infrastructure are typically politically or financially motivated.

“Cyber criminals are employing ever more elaborate schemes to convert technology into tools of digital extortion,” said Stephanie Hinds, acting federal prosecutor for the Northern District of California.

“We need to continue improving the cyber resiliency of our critical infrastructure across the nation ... we will also continue developing advanced methods to improve our ability to track and recover digital ransom payments.”