The United States’ justice department says it has seized 63.7 bitcoins, currently worth around $2.3m (€1.9m), which it claims is part of the 75-bitcoin ransom Colonial Pipeline paid when a cyber-attack knocked its pipeline out of action for several days in May.

The outage caused fuel shortages in the eastern US and exposed how vulnerable key infrastructure is to cyber security breaches.

Following the attack, the Georgia-based company told the FBI its computer network was accessed by cyber-criminal organisation DarkSide and it had paid the 75-bitcoin ransom demanded.

By reviewing the Bitcoin public ledger, law enforcement agencies tracked multiple transfers of the crypto currency and identified 63.7 bitcoins from the ransom payment being transferred to an address of which the FBI has the private key, the justice department said.

As the bitcoins concerned represent proceeds traceable to a computer intrusion and property involved in money laundering they may be seized, it added.

“Following the money remains one of the most basic, yet powerful tools we have,” said deputy attorney general Lisa Monaco.

“Ransom payments are the fuel that propels the digital extortion engine, and [this] announcement demonstrates that the United States will use all available tools to make these attacks more costly and less profitable for criminal enterprises.

“We will continue to target the entire ransomware ecosystem to disrupt and deter these attacks.”

The outcome also demonstrates the value of early notification to law enforcement and the department thanks Colonial Pipeline for quickly notifying the FBI when it learned it was targeted by DarkSide, she added.

FBI deputy director Paul Abbate commented: “There is no place beyond the reach of the FBI to conceal illicit funds that will prevent us from imposing risk and consequences upon malicious cyber actors.”

Colonial’s CEO Joseph Blount said the company is grateful for the bureau’s swift work and professionalism in recovering the ransom.

“Holding cyber criminals accountable and disrupting the ecosystem that allows them to operate is the best way to deter and defend against future attacks,” he added.

“The private sector also has an equally important role to play and we must continue to take cyber threats seriously and invest accordingly to harden our defences.”

DarkSide operates from eastern Europe, possibly Russia, according to US authorities. It offers a ransomware-as-a-service business model: the group develops and markets ransomware tools and sells them to criminals which carry out attacks.

At the time of the Colonial hack, DarkSide acknowledged the incident. “Our goal is to make money and not creating problems for society,” the organisation wrote on its website. “We do not participate in geopolitics, do not need to tie us with a defined government and look for … our motives.”


PrivSec Global

Register to PrivSec Global and tune into to the ”Phishing, Ransomware Prevention Plans and Staying One Step Ahead of Cybercriminals” panel discussion on June 23 at 1:00pm BST | 2:00pm CEST | 8:00pm HK.

Speakers include:

  • Joel Schwarz, Director, MBL Technologies
  • Claudio Cilli, Ph.D., Professor, University of Rome
  • Andrew Rigney, Director Of Cyber Security Operations, Netjets