Federal authorities have recovered more than $2 million in cryptocurrency paid in ransom to foreign hackers whose attack last month led to the shutdown of a major pipeline that provides nearly half the East Coast’s fuel, according to officials.
“The sophisticated use of technology to hold businesses and even whole cities hostage for profit is decidedly a 21st century challenge,” Deputy Attorney General Lisa Monaco said, announcing the recovery on Monday afternoon. “But the old adage, follow the money still applies.”
“Today we turned the tables on DarkSide,” she said.
The ransomware attack on Colonial in early May prompted the company to shut its pipeline operation for 11 days, causing panic buying that resulted in gasoline shortages in much of the southeastern United States. The hackers locked up Colonial’s business computer networks by encrypting data on them and demanded millions of dollars in ransom to unlock the system.
Victims worldwide paid at least $412 million in ransom last year, according to Chainalysis, a firm that tracks cryptocurrency payments. They noted that is a conservative analysis, since many victims do not report their ransom payments.
The problem has become so acute that Biden will raise it when he meets with Russian President Vladimir Putin in Geneva this month. National security adviser Jake Sullivan said Monday that the subject also will be raised during the president’s meeting with the leaders of the Group of Seven nations in Britain a few days before the Geneva summit.
Sullivan said he would like the G-7 to come up with an “action plan” to increase resilience to attacks and deal with the cryptocurrency challenge. Cryptocurrency, which allows users to mask their identities, “lies at the core of how these ransom transactions are played out,” he said.
As a result, ransomware attacks have become a matter of national security and economic security, officials said.
Having obtained a warrant granted by a federal judge in the Northern District of California, the FBI on Monday seized proceeds from a digital “wallet” that held the ransom collected by the hackers, FBI Deputy Director Paul Abbate said. The ransom was paid in bitcoin, a form of cryptocurrency.
The warrant authorized seizure of 63.7 bitcoin, or $2.3 million at the current exchange rate.
The bureau obtained the “private key” for the wallet address, according to an affidavit for the warrant. The key is basically a password that enabled the FBI to move bitcoin out of the wallet.
Officials did not explain how the FBI got the key.
The hackers demanded and were paid a ransom of 75 bitcoin on May 8, according to the affidavit. On that date, the value of bitcoin was higher — worth about $4.3 million.
Colonial Pipeline CEO Joseph Blount told The Wall Street Journal last month that the firm paid the ransom. “I know that’s a highly controversial decision,” he said. “ … But it was the right thing to do for the country.”
On Monday, Blount issued a statement praising the FBI.
“We are grateful for their swift work and professionalism in responding to this event,” he said. “Holding cyber criminals accountable and disrupting the ecosystem that allows them to operate is the best way to deter and defend against future attacks of this nature.”
Blount said that when Colonial was hit by the cyber attack, it contacted the FBI field offices in Atlanta and San Francisco, as well as prosecutors in Northern California and D.C.
DarkSide operates under a ransomware-as-a-service model in which it provides the malware that a criminal affiliate can use to lock up data on a victim’s computer system. When the victim pays the ransom to free up the system, the affiliate keeps a majority of the payment, while DarkSide gets the rest.
In this case, about 85 percent of the payment most likely was to have gone to DarkSide’s affiliate, said Tom Robinson, co-founder of Elliptic, a cryptocurrency analytics firm. Elliptic spotted the wallet suspected of holding Colonial’s ransom payment on May 14.
The 63.7 bitcoin were the affiliate’s share, Robinson said. It is not clear who has the rest of the proceeds, he said.
On May 13, DarkSide announced it was suspending its operation, that its servers had been “blocked” and funds from a payment server had been moved to “an unknown account.”
Those funds are still in that wallet, said Robinson, whose firm tracks cryptocurrency payments on a public digital ledger known as a “blockchain.” The ledger does not contain information identifying who controls the wallet.
The U.S. government was not behind the disruption of DarkSide’s operation, several U.S. officials told The Washington Post last month.
The FBI has traditionally advised victims not to pay the ransom on the grounds that doing so fuels criminal enterprise. The Biden administration is in the process of determining what the government’s formal ransomware policy should be, a senior administration official told The Post last week.
“The message we are sending today is that if you come forward and work with law enforcement, we may be able to take that type of action that we took today to deprive the criminal actors of what they’re going after here, which is the proceeds of their criminal scheme,” Monaco said. She added, however, “we cannot guarantee and we may not be able to do this in every instance.”
From October until it announced it lost access to its servers, DarkSide collected more than $90 million in bitcoin ransoms, Elliptic said.
The Justice Department in April created a ransomware and digital extortion task force. Its mission, officials said, is to investigate, disrupt and prosecute ransomware and digital extortion activity.
An earlier version of this article incorrectly said the seizure marked the first time the Justice Department had recovered a ransomware payment. It was the first time the department's new ransomware task force recovered a cryptocurrency ransomware payment. This version has been corrected.