DOJ seizes $2.3 million in cryptocurrency paid by Colonial Pipeline to hackers

WASHINGTON—The Department of Justice (DOJ) announced on June 7, 2021, that it seized 63.7 bitcoins currently valued at approximately $2.3 million, allegedly representing the proceeds of a May 8 ransom payment made by Colonial Pipeline to cybercriminal group DarkSide.

The DOJ’s announcement of the seizure of funds came just one month after Colonial Pipeline suffered a devastating ransomware attack on May 6 at the hands of DarkSide in what was arguably the largest cyberattack against U.S. critical infrastructure in U.S. history. The ransomware attack shut off the country’s largest fuel pipeline - delivery of an estimated 45 percent of fuel consumed on the East Coast - for nearly one week before resuming fuel delivery on May 12.

Following the cyberattack, Colonial Pipeline reported to the Federal Bureau of Investigations (FBI) that its computer network was accessed by an organization named DarkSide and that it had received and paid a ransom demand for approximately 75 bitcoins.

The seizure warrant for the cryptocurrency was authorized by the Honorable Laurel Beeler, U.S. Magistrate Judge for the Northern District of California.

“Following the money remains one of the most basic, yet powerful tools we have,” said Deputy Attorney General Lisa O. Monaco for the DOJ. “Ransom payments are the fuel that propels the digital extortion engine, and today’s announcement demonstrates that the United States will use all available tools to make these attacks more costly and less profitable for criminal enterprises. We will continue to target the entire ransomware ecosystem to disrupt and deter these attacks. Today’s announcements also demonstrate the value of early notification to law enforcement; we thank Colonial Pipeline for quickly notifying the FBI when they learned that they were targeted by DarkSide.”

As alleged in the supporting affidavit, by reviewing the Bitcoin public ledger, law enforcement was able to track multiple transfers of bitcoin and identify that approximately 63.7 bitcoins, representing the proceeds of the victim’s ransom payment, had been transferred to a specific address, for which the FBI has the “private key,” or the rough equivalent of a password needed to access assets accessible from the specific Bitcoin address. This bitcoin represents proceeds traceable to a computer intrusion and property involved in money laundering and may be seized pursuant to criminal and civil forfeiture statutes. 

“There is no place beyond the reach of the FBI to conceal illicit funds that will prevent us from imposing risk and consequences upon malicious cyber actors,” said FBI Deputy Director Paul Abbate. “We will continue to use all of our available resources and leverage our domestic and international partnerships to disrupt ransomware attacks and protect our private sector partners and the American public.” 

The Colonial Pipeline ransomware was among the latest in a troubling pattern of cyberattacks on the nation’s critical infrastructure. Two weeks ago, another devastating ransomware attack crippled the world’s largest meat supplier, JBS USA, affecting servers supporting its North American and Australian IT systems. The cyberattack, which the FBI announced was orchestrated by Russian-based hacker group REvil, forced JBS to suspend operations at all U.S. plants until resuming operations on June 2. 

“Cyber criminals are employing ever more elaborate schemes to convert technology into tools of digital extortion,” noted Acting U.S. Attorney for the Northern District of California Stephanie Hinds. “We need to continue improving the cyber resiliency of our critical infrastructure across the nation, including in the Northern District of California. We will also continue developing advanced methods to improve our ability to track and recover digital ransom payments.”

Last week, the DOJ issued a memo to U.S. attorneys’ offices to elevate ransomware attack investigations to the same level of priority as terrorism. The memo directs U.S. prosecutors to report information on all ransomware investigations they are working on to the recently formed Ransomware and Digital Extortion Task Force, which was created to combat the growing number of ransomware and digital extortion attacks.

The Task Force prioritizes the disruption, investigation, and prosecution of ransomware and digital extortion activity by tracking and dismantling the development and deployment of malware, identifying the cybercriminals responsible, and holding those individuals accountable for their crimes. It also strategically targets the ransomware criminal ecosystem as a whole and collaborates with domestic and foreign government agencies as well as private sector partners to combat this significant criminal threat.