Coindesk Logo

Federal Officials Recover Bitcoin Ransom From Colonial Pipeline Attack

Federal Officials Recover Bitcoin Ransom From Colonial Pipeline Attack

Federal Officials Recover Bitcoin Ransom From Colonial Pipeline Attack

Colonial paid $4.4 million in bitcoin after its systems fell victim to a ransomware attack last month.

Colonial paid $4.4 million in bitcoin after its systems fell victim to a ransomware attack last month.

Colonial paid $4.4 million in bitcoin after its systems fell victim to a ransomware attack last month.

AccessTimeIconJun 7, 2021, 6:50 PM
Updated Aug 21, 2021, 7:25 PM

Presented By Icon

Election 2024 coverage presented by

Stand with crypto

Federal officials have recovered $2.3 million in bitcoin that Colonial Pipeline paid to a criminal outfit during a ransomware attack, the Department of Justice announced Monday.

Colonial Pipeline paid about $4.4 million in bitcoin to the attackers, linked to the Darkside ransomware group, after its payment systems were frozen last month. The company had to halt fuel transportation across the East Coast of the U.S., sparking fears of a gas shortage in a dozen states. Deputy Attorney General Lisa Monaco said Monday that the company contacted law enforcement, allowing federal agents to track and seize a bitcoin wallet.

"The Department of Justice has found and recovered the majority of the ransom paid," Deputy Attorney General Lisa Monaco said in a press briefing.

An affidavit filed by an FBI agent provided further details. According to public court documents, the agent, whose name was redacted, tracked the bitcoin Colonial sent to Darkside across several transactions recorded on the bitcoin ledger, using a block explorer.

About 63.7 BTC was sent to an address controlled by the FBI.

The bitcoin appears to come from the affiliate that deployed Darkside's ransomware, not Darkside itself, said Tom Robinson, chief scientist at Elliptic. He told CoinDesk the funds appear to have been seized at 1:40 p.m. ET.

In a blog post, Robinson said 15% of the total payment went to Darkside itself.

"The private key for the Subject Address is in the possession of the FBI in the Northern District of California," the affidavit said.

FBI Deputy Director Paul Abbate said federal officials had seized a bitcoin wallet that held the proceeds from the Colonial attack. It appears that the perpetrators still have about $2 million in crypto.

"Victim funds were seized from that wallet, preventing Darkside actors from using them," he said.

The funds were seized as part of a ransomware task force created by the DOJ.

"The sophisticated use of technology to hold businesses and even whole cities hostage for profit is decidedly a 21st century challenge. But the old adage 'follow the money' still applies. And that's exactly what we do," Monaco said.

CNN first reported the news.

Ransomware attacks have been on the rise recently, with a number of high-profile and critical infrastructure firms falling victim to the cyberattack. In her opening remarks, Monaco warned companies to take steps immediately to secure their systems or risk falling victim.

The U.S. Department of Justice did not immediately share further details.

UPDATE (June 7, 2021, 22:03 UTC): Updated with details from DOJ officials and additional commentary.

Disclosure

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information have been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. CoinDesk has adopted a set of principles aimed at ensuring the integrity, editorial independence and freedom from bias of its publications. CoinDesk is part of the Bullish group, which owns and invests in digital asset businesses and digital assets. CoinDesk employees, including journalists, may receive Bullish group equity-based compensation. Bullish was incubated by technology investor Block.one.


Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.