FBI Seize $2 Million in Bitcoin From Colonial Pipeline Ransom

The FBI announced it had seized more than $2 million in bitcoin that was part of the Colonial Pipeline ransom payment.

Washington Post:

Federal authorities have recovered more than $2 million in cryptocurrency paid in ransom to foreign hackers whose attack last month led to the shutdown of a major pipeline that provides nearly half the East Coast’s fuel, according to officials.

The seizure of funds paid by Colonial Pipeline to a Russian hacker ring, DarkSide, marks the first recovery by a new ransomware Justice Department task force. It follows a string of cyber attacks that panicked consumers and led President Biden to warn Russia that it needed to take “decisive action” against the criminal networks.

“The sophisticated use of technology to hold businesses and even whole cities hostage for profit is decidedly a 21st century challenge,” Deputy Attorney General Lisa Monaco said, announcing the recovery on Monday afternoon. “But the old adage, follow the money still applies.”

“Today we turned the tables on DarkSide,” she said.

The ransomware attack on Colonial in early May prompted the company to shut its pipeline operation for 11 days, causing panic buying that resulted in gasoline shortages in much of the southeastern United States. The hackers locked up Colonial’s business computer networks by encrypting data on them and demanded millions of dollars in ransom to unlock the system.

Victims worldwide paid at least $412 million in ransom last year, according to Chainalysis, a firm that tracks cryptocurrency payments. They noted that is a conservative analysis, since many victims do not report their ransom payments.

The problem has become so acute that Biden will raise it when he meets with Russian President Vladimir Putin in Geneva this month. National security adviser Jake Sullivan said Monday that the subject also will be raised during the president’s meeting with the leaders of the Group of Seven nations in Britain a few days before the Geneva summit.

Sullivan said he would like the G-7 to come up with an “action plan” to increase resilience to attacks and deal with the cryptocurrency challenge. Cryptocurrency, which allows users to mask their identities, “lies at the core of how these ransom transactions are played out,” he said.

As a result, ransomware attacks have become a matter of national security and economic security, officials said.

Having obtained a warrant granted by a federal judge in the Northern District of California, the FBI on Monday seized proceeds from a digital “wallet” that held the ransom collected by the hackers, FBI Deputy Director Paul Abbate said. The ransom was paid in bitcoin, a form of cryptocurrency.

The warrant authorized seizure of 63.7 bitcoin, or $2.3 million at the current exchange rate.

The bureau obtained the “private key” for the wallet address, according to an affidavit for the warrant. The key is basically a password that enabled the FBI to move bitcoin out of the wallet.

Officials did not explain how the FBI got the key.

The hackers demanded and were paid a ransom of 75 bitcoin on May 8, according to the affidavit. On that date, the value of bitcoin was higher — worth about $4.3 million.

Colonial Pipeline CEO Joseph Blount told The Wall Street Journal last month that the firm paid the ransom. “I know that’s a highly controversial decision,” he said. “ … But it was the right thing to do for the country.”