Department of Justice (DOJ) claims it has recovered $2.3 million in bitcoin of the $4.4 million ransom Colonial Pipeline paid in last month’s ransomware attack.
Monday’s announcement came from Deputy Attorney General Lisa Monaco. Ransom funds were seized by the U.S.Ransomware Task Force that was formed by the DOJ.
Paul Abbate, FBI Deputy Director says that the FBI has recovered a bitcoin wallet that holds some funds from the Colonial Pipeline ransomware attack. And it appears that the hacker gang still has possession of about $2 million in crypto.
On Tuesday Colonial Pipeline CEO Joseph Blount testified before the Homeland Security Committee about the ransomware attack.
Blount testified to the Senate that DarkSide hackers breached Colonial’s system using a single ‘compromised’ password. But he also had to defend his decision to pay over $4 million in ransom.
Ransomware attack on U.S. critical infrastructure
In her press briefing, Monaco says that Colonial contacted law enforcement early on in the attack. And this was key for federal agents to track and seize the hacked bitcoin.
The pipeline is considered a critical infrastructure of the U.S. This hack attack by the DarkSide cybercriminals gang created short-term gas shortages in 12 states.
The attack froze the company’s payment systems and created a crisis in the supply chain. Colonial Pipeline had to temporarily halt the transport of gas across the East Coast.
FBI tracked the bitcoin ransom
The identity of the FBI agent who tracked the bitcoin was redacted in the affidavit for a seizure warrant. And the FBI agent tracked the bitcoin Colonial sent to Darkside across transactions recorded on the bitcoin ledger.
The FBI was using block explorer an open-source tool that provided details of crypto transactions and blockchain data.
“The private key for the Subject Address is in the possession of the FBI in the Northern District of California,” the Seizure affidavit states.
The FBI experts say about 2.3 million (63.7 BTC) was sent to an address they now control.
According to a blog post by Tom Robinson, chief scientist at Elliptic the bitcoin did not come directly from DarkSide. It appears to come from affiliate hackers that deployed ransomware provided by DarkSide. And only 15% of the ransom paid by Colonial went directly to DarkSide.
“Victim funds were seized from that wallet, preventing Darkside actors from using them,” FBI Deputy Director Abate confirmed.
“The sophisticated use of technology to hold businesses and even whole cities, hostage, for profit is decidedly a 21st-century challenge. But the old adage ‘follow the money’ still applies. And that’s exactly what we do,” Deputy Attorney General Monaco said.