US says it seized $2.3 million in bitcoin from ransom Colonial Pipeline paid to ‘Russia-based’ hackers

With cooperation from Colonial, the DOJ got a warrant in a federal court in California and successfully “found and recaptured the majority of the ransom” from a bitcoin wallet, Deputy Attorney General Lisa Monaco announced on Monday. It was the first seizure of this kind ever, she said.

Colonial’s CEO admitted last month the company had paid a ransom in cryptocurrency – estimated at $4.4 million at the time – and argued “it was the right thing to do for the country.” 

Asked by reporters what may have happened to the other part of the ransom – estimated at $2 million – Monaco brushed off the question, circling back to her announcement that this was the first time ever that the DOJ’s Ransomware and Digital Extortion Task Force had seized a bitcoin ransomware payment. 

Just because they were able to recover some of the funds this time, she cautioned, doesn’t mean they will be able to do so in every case. If a company chooses to ignore the FBI advice and pay ransom anyway, they should come forward and work with law enforcement if they want to get some of it back. 

FBI Deputy Director Paul Abbate described DarkSide, the alleged authors of the ransomware that was used in the attack, as a “Russia-based cybercrime group,” offering no evidence for the claim.

The cybersecurity company Elliptic announced on May 17 that it had tracked down 47 distinct cryptocurrency wallets used by DarkSide, which had processed at least $90 million worth of bitcoin before they were suddenly closed under pressure from US authorities. About 80% of the money was sent to criminal affiliates, with DarkSide keeping $15.5 million as payment for the ransomware they allegedly developed. 

The pipeline that runs from Texas to New York supplies much of the southeastern US with fuel. Its weeklong shutdown in mid-May, due to the ransomware attack on its invoicing systems, left millions of Americans queuing up at gas stations. The Biden administration denied there was a shortage, while denouncing “hoarders” and price-gouging.

Hackers were able to access Colonial’s servers by using a single password from a ‘legacy’ virtual private network (VPN), Charles Carmakal of the cybersecurity company Mandiant, which consulted on the breach, told Bloomberg News last week. Colonial confirmed that this particular VPN was not “routinely” used and that only a handful of employees had access to it.

Think your friends would be interested? Share this story!

© 2021, paradox. All rights reserved.