The US Justice Department has recovered 63.7 Bitcoins worth over $2.3 million from the hacker collective responsible for the Colonial Pipeline hack that led to fuel shortages across the US East coast last month.
At the time of the ransom, which was paid after May 7 cyberattack, the 75 Bitcoins given were worth around $4.4 million.
“Earlier today, the Department of Justice has found and recaptured the majority of the ransom Colonial paid to the DarkSide network,” deputy attorney general Lisa Monaco said at a news conference on Monday.
“Ransomware attacks are always unacceptable—but when they target critical infrastructure, we will spare no effort in our response,” she said.
“Today, we turned the tables on DarkSide. By going after the entire ecosystem that fuels ransomware and digital extortion attacks, including criminal proceeds in the form of digital currency, we will continue to use all of our tools, and all of our resources to increase the cost and the consequences of ransomware attacks and cyber-enabled attacks,”
The FBI had been investigating Darkside for over a year. On May 14, after the hack, Darkside posted saying it had disbanded after its internet servers and cryptocurrency holdings had been seized by law enforcement entities.
Darkside is what is called a “ransomware-as-a-service” platform, which is similar to the software as service model (SaaS) which leases software, except RaaS leases ransomware. Ransomware revenues globally in 2020 were estimated at around $20 billion according to a PurpleSec report.
The FBI said they were able to track multiple transfers of bitcon and identify the 63.7 bitcoins used in the payment. They found it had been transferred to a specific address, for which the FBI had the all-important “private key”.
Encrypted bitcoin addresses use a combination of a “public key” and a “private key” that work together. Without the key, recovering the funds in theory should be impossible. How the FBI obtained the key remains to be known.
Since Colonial Pipeline handles about 45 per cent of all fuel consumed on the East Coast, its operational slowdown let to gas lines across the East coast. The decision to pay the ransom was taken hours after the hack was revealed.
At the time, the company said the decision was not taken lightly. “Tens of millions of Americans rely on Colonial—hospitals, emergency medical services, law enforcement agencies, fire departments, airports, truck drivers and the travelling public,” the company said.
The hackers, reportedly based in Russia, used a comprised password for a VPN account according to cybersecuity firm Mandiant. The password was among others that had been leaked on the dark web, according to a Bloomberg report.
Colonial Pipeline CEO Joseph Blount is scheduled to appear before the House Committee on Homeland Security on June 9.