DoJ seized $2.3 million paid to the Colonial Pipeline ransomware extortionists

The Department of Justice has seized 63.7 bitcoins currently valued at approximately $2.3 million. These funds allegedly represent the proceeds of a May 8, ransom payment to individuals in a group known as DarkSide, which had targeted Colonial Pipeline, resulting in critical infrastructure being taken out of operation.

Colonial Pipeline ransomware extortionists

“Following the money remains one of the most basic, yet powerful tools we have,” said Deputy Attorney General Lisa O. Monaco for the U.S. Department of Justice. “Ransom payments are the fuel that propels the digital extortion engine, and today’s announcement demonstrates that the United States will use all available tools to make these attacks more costly and less profitable for criminal enterprises. We will continue to target the entire ransomware ecosystem to disrupt and deter these attacks.”

“There is no place beyond the reach of the FBI to conceal illicit funds that will prevent us from imposing risk and consequences upon malicious cyber actors,” said Paul Abbate, FBI Deputy Director. “We will continue to use all of our available resources and leverage our domestic and international partnerships to disrupt ransomware attacks and protect our private sector partners and the American public.”

“Cyber criminals are employing ever more elaborate schemes to convert technology into tools of digital extortion,” said Acting U.S. Attorney for the Northern District of California Stephanie Hinds. “We need to continue improving the cyber resiliency of our critical infrastructure across the nation, including in the Northern District of California. We will also continue developing advanced methods to improve our ability to track and recover digital ransom payments.”

On or about May 7, Colonial Pipeline was the victim of a highly publicized ransomware attack resulting in the company taking portions of its infrastructure out of operation. Colonial Pipeline reported to the FBI that its computer network was accessed by an organization named DarkSide and that it had received and paid a ransom demand for approximately 75 bitcoins.

“Trying to determine who holds the crypto wallet is a wild goose chase. There is no bitcoin address registry that lists the owners of every address. Identifying the owner of that address requires knowing where you got it from. But even then, it’s the end of the road,” said Anurag Gurtu, CPO, StrikeReady.

As alleged in the supporting affidavit, by reviewing the Bitcoin public ledger, law enforcement was able to track multiple transfers of bitcoin and identify that approximately 63.7 bitcoins, representing the proceeds of the victim’s ransom payment, had been transferred to a specific address, for which the FBI has the “private key,” or the rough equivalent of a password needed to access assets accessible from the specific Bitcoin address. This bitcoin represents proceeds traceable to a computer intrusion and property involved in money laundering and may be seized pursuant to criminal and civil forfeiture statutes.

“Anyone actively stockpiling cryptocurrencies in the event of a ransomware attack or other emergency is crazy, unless that’s part of this business model, like a broker. This is a dangerous endeavor. A better way to prepare for a ransomware attack is to have a comprehensive cloud backup strategy in place so if your systems go offline, you’ll be able to get back online in a timely manner and potentially avoid paying the ransom at all,” said Matthew Rogers, CISO at Syntax.

Don't miss