DOJ Seizes 63.7 BTC Paid by Colonial Pipeline As A Ransomware Payment to Darkside
The Justice Department has reported recovering about $2.3 million in cryptocurrency ransom paid by Colonial Pipeline Co, which the agency itself and the mainstream media are describing as the most disruptive US cyberattack on record.
“Right now, prosecution is a pipedream,” said Vice President John Hultquist of Mandiant cybersecurity while praising the move. “Disrupt. Disrupt. Disrupt.”
Oh good the FBI recovered the Colonial Pipeline ransom by tracing the wallet. Ransomware is solved!
— Matthew Green (@matthew_d_green) June 7, 2021
Deputy Attorney General Lisa Monaco said on Monday that investigators had seized 63.7 BTC paid by Colonial after last month’s hack of its systems that caused a shutdown leading to a spike in gas prices, panic buying, and massive shortages in the U.S. East Coast gas stations.
The DOJ has “found and recaptured the majority” of the ransom paid by Colonial, Monaco said. Colonial Pipeline had paid the hackers nearly $5 million to regain access.
A judge in San Francisco approved the seizure of funds from the cryptocurrency address, which is reported to be located in the Northern District of California.
The FBI attributed the hack to a gang called DarkSide. Deputy FBI Director Paul Abbate described DarkSide as a Russia-based cybercrime group during the news conference.
According to Abbate, the FBI was tracking more than 100 ransomware variants, and the gang alone has victimized at least 90 U.S. companies. Commerce Secretary Gina Raimondo said over the weekend that the Biden administration was looking at all options to defend against ransomware attacks.
An affidavit filed said the FBI was in possession of a private key to unlock a Bitcoin wallet that received most of the funds. What’s not mentioned here is just how the FBI gained access to the private key.
I'm having a tough time believing that this supposedly Russian hacking network was so sophisticated it could shut down our infrastructure, but not knowledgable enough to maintain safe custody over their bitcoin.
We're missing the whole story, here….
— Jordan Schachtel (@JordanSchachtel) June 7, 2021
The bitcoin wallet from which the funds were taken had contained 69.6 bitcoins, said Tom Robinson, co-founder of crypto tracking firm Elliptic. According to Robinson, DarkSide would keep a smaller share for its role in providing the encryption software and negotiating with the victim.
The FBI affidavit filed said that the bureau had tracked the bitcoin through multiple wallets, using the public blockchain and tools.
Small amounts were shaved off the initial 75 bitcoin payment along the way, while the remaining amount reached the wallet on May 27 and stayed there until this week.
JUST IN: FBI has seized back pipeline ransom funds from DarkSide's bitcoin wallet. Lisa Monaco: "Today we turned the table on Dark Side"… US now going after "the entire ecosystem."
— Kevin Baron (@DefenseBaron) June 7, 2021
Meanwhile, the crypto community is trying to comprehend just how exactly the agency was able to get its hands on the key.
#Bitcoin was NOT hacked
No bitcoin wallet was hacked, nor is even known to be possible. Ransom hackers used a rented cloud server. FBI got a subpoena and took control of it and recovered coins. That's it.
— Adam Back (@adam3us) June 8, 2021
According to Alex Thorn, Head of Research at Galaxy Digital, “there’s no evidence of a bitcoin or bitcoin wallet security vulnerability.” “We looked on-chain & found a pattern that seems to show the funds ultimately flowed to a trading desk or exchange willing to comply with a US warrant,” he added.