United States has recovered most of $4.4m (£3.1m) ransom paid to a cyber-criminal gang responsible for taking Colonial Pipeline offline last month.
DarkSide – which US authorities said operates from eastern Europe and possibly Russia – infiltrated the pipeline last month. The attack disrupted supplies for several days causing fuel shortages.
According to the firm, the pipeline carries 45% of East Coast’s supply of diesel, petrol and jet fuel.
On Monday, Deputy Attorney-General Lisa Monaco said investigators had “found and recaptured” 63.7 Bitcoin worth $2.3m – “the majority” of the ransom paid. Since the ransom was paid the value of Bitcoin has fallen sharply.
An affidavit filed on Monday said FBI was in possession of a private key to unlock a bitcoin wallet that had received most of the funds. It was unclear how FBI gained access to the key.
A judge in San Francisco approved the seizure of funds from this “cryptocurrency address,” which the filing said was located in Northern District of California.
Colonial Pipeline had stated that it paid the hackers nearly $5 million to regain access. Bitcoin was trading down nearly 5% around 1800 ET (2200 GMT). The cryptocurrency’s value has dropped to around $34,000 in recent weeks after hitting a high of $63,000 in April.
Bitcoin seizures are rare, but authorities have stepped up their expertise in tracking the flow of digital money as ransomware has become a growing national security threat and put a further strain on relations between United States and Russia, where many of the gangs are based.
“Right now, prosecution is a pipedream,” Vice President, John Hultquist of the Mandiant cybersecurity firm said in praising the move. “Disrupt. Disrupt. Disrupt.”
The hack caused a days-long shutdown that led to a spike in gas prices, panic buying and localised fuel shortages.
It posed a major political headache for President Joe Biden as the U.S. economy was starting to emerge from the COVID-19 pandemic.
White House urged corporate executives and business leaders last week to step up security measures to protect against ransomware attacks after the Colonial hack and later intrusions that disrupted operations at a major meatpacking company.
Deputy FBI Director, Paul Abbate, who spoke at the same news conference as Monaco on Monday, described DarkSide as a Russia-based cybercrime group.
Abbate stated that FBI was tracking more than 100 ransomware variants. DarkSide itself victimized at least 90 U.S. companies, including manufacturers and healthcare providers, he said.
Meanwhile, Colonial Chief Executive Joseph Blount, who will testify before the Senate on Tuesday, said in a statement that the company had worked closely with FBI from the beginning and was “grateful for their swift work and professionalism.”
Blount said;
Holding cyber criminals accountable and disrupting the ecosystem that allows them to operate is the best way to deter and defend against future attacks.
FBI affidavit filed on Monday said that the bureau had tracked the bitcoin through multiple wallets, using the public blockchain and tools. Small amounts were shaved off the initial 75 bitcoin payment along the way.
The remaining amount reached the final wallet on May 27 and stayed there until Monday.
