The U.S. recovered almost all the Bitcoin ransom paid to the perpetrators of the cyber attack on Colonial Pipeline Co. last month in a sign that law enforcement is capable of pursuing online criminals even when they operate outside the nation’s borders.
U.S. officials said Monday that they captured about 63.7 Bitcoin traced to recipients of a 75-Bitcoin ransom paid by Colonial soon after the early May attack that resulted in a shutdown of the nation’s largest gas pipeline. The shutdown had caused fuel shortages across the east coast just ahead of the Memorial Day weekend.
Because of the declining value of Bitcoin since the ransom was paid, the U.S. seizure in late May amounted to $2.3 million, just over half the $4.4 million paid weeks earlier after the ransom was demanded.
Deputy FBI Director Paul Abbate said at a Justice Department briefing announcing the seizure that law enforcement identified a virtual wallet used in the ransom payment and then recovered the funds. He said investigators found more than 90 companies victimized by DarkSide, a Russia-linked cybercrime group blamed in the pipeline attack.
“Today we turned the tables on DarkSide,” Deputy Attorney General Lisa Monaco said, as she called on companies to invest more to protect their critical infrastructure and intellectual property. “DarkSide and its affiliates have been digitally stalking U.S. companies for the better part of last year.”
The action signals U.S. law enforcement’s ability, in some cases at least, to track cryptocurrency, identify digital wallets and seize funds, a potentially powerful tool in combating ransomware attacks in particular. The operation also reveals how quickly hacking operations can be identified by the FBI, which Abbate said has been investigating DarkSide since last year.
The FBI was able to find the Bitcoin by uncovering the digital addresses the hackers used to transfer the funds, according to an eight-page seizure warrant released by the Justice Department on Monday.
“New financial technologies that attempt to anonymize payments will not provide a curtain from behind which criminals will be permitted to pick the pockets of hard-working Americans,” Stephanie Hinds, acting U.S. Attorney for the Northern District of California, said at the news conference alongside Monaco and Abbate.
While the government’s efforts were significant, they also underscored the difficulty in going after the perpetrators of ransomware attacks. To date, no one behind the Colonial Pipeline attack has been publicly indicted, and the hackers still made off with a small portion of the ransom. Even if the people behind the attack are charged, they probably will remain out of reach of U.S. law enforcement agencies.
The attack in May caused fuel shortages at gasoline stations in several states and even affected operations by some airlines and airports. It was part of an increasing trend of such acts against critical infrastructure that is posing an early test of President Joe Biden’s administration.
Colonial Pipeline said Monday that it quickly contacted the FBI and federal prosecutors after it was attacked and praised the government for recovering much of the ransom.
“Holding cyber criminals accountable and disrupting the ecosystem that allows them to operate is the best way to deter and defend against future attacks of this nature,” Joseph Blount, chief executive officer of the Alpharetta, Georgia-based company, said in a statement. “We we must continue to take cyber threats seriously and invest accordingly to harden our defenses”
U.S. intelligence and law enforcement officials say stopping hacking attacks has become a national security priority, and the issue has raised tensions between the U.S. and Russia. Biden plans to bring up hacking attacks when he meets with Russian President Vladimir Putin next week, White House Press Secretary Jen Psaki has said.
The message at the one-on-one meeting in Geneva on June 16 will be that “responsible states do not harbor ransomware criminals, and responsible countries must take decisive action against those ransomware networks,” Psaki said. Putin has denied knowing about or being involved in ransomware attacks.
In another episode, Brazilian-based JBS SA, the world’s largest meat processor, restarted beef production last week after a ransomware attack forced it to halt operations across the globe.
“Ransomware attacks are always unacceptable, but when they target critical infrastructure we will spare no effort in our response,” Monaco said.
–With assistance from Malathi Nayak and Gerson Freitas Jr..