U.S. Seizes Share of Ransom From Hackers in Colonial Pipeline Attack
08 Jun 2021

The Justice Department said on Monday that it had seized much of the ransom that a major U.S. pipeline operator had paid last month to a Russian hacking collective, turning the tables on the hackers by reaching into a digital wallet to snatch back millions of dollars in cryptocurrency.

Investigators in recent weeks traced 75 Bitcoins worth more than $4 million that Colonial Pipeline had paid to the hackers as the attack shut down its computer systems, prompting fuel shortages, a spike in gasoline prices and chaos at airlines.

Federal investigators tracked the ransom as it moved through a maze of at least 23 different electronic accounts belonging to DarkSide, the hacking group, before landing in one that a federal judge allowed them to break into, according to law enforcement officials and court documents.

The Justice Department said it seized 63.7 Bitcoins, valued at about $2.3 million. (The value of a Bitcoin has dropped over the past month.)

“The sophisticated use of technology to hold businesses and even whole cities hostage for profit is decidedly a 21st-century challenge, but the old adage ‘follow the money’ still applies,” Lisa O. Monaco, the deputy attorney general, said at the news conference at the Justice Department.

Law enforcement officials highlighted the seizure in an effort to warn cybercriminals that the United States planned to take aim at their profits, which are often gained through cryptocurrencies like Bitcoin. It was also intended to encourage victims of ransomware attacks — which occur every eight minutes, on average — to notify the authorities to help recover ransoms.

For years, victims have opted to quietly pay cybercriminals, calculating that the payment would be cheaper than rebuilding data and services. Though the F.B.I. discourages ransom payments, they are legal and even tax deductible. But the payments — which collectively total billions of dollars — have funded and emboldened ransomware groups.

Justice Department officials said that Colonial’s willingness to quickly loop in the F.B.I. helped recoup the ransom portion, and they credited the company for its role in a first-of-its-kind effort by a new ransomware task force in the department to hijack a cybercrime group’s profits.

“We must continue to take cyberthreats seriously and invest accordingly to harden our defenses,” Joseph Blount, the chief executive of Colonial, said in a statement. Mr. Blount said that after his company contacted the F.B.I. and the Justice Department to notify them of the attack, investigators helped Colonial understand the hackers and their tactics.

The Justice Department’s announcement also came before President Biden’s scheduled meeting with President Vladimir V. Putin of Russia next week in Geneva, where Mr. Biden is expected to address what American officials see as the Kremlin’s willingness to provide protection for hackers. Russia typically does not arrest or extradite suspects in ransomware attacks.

The New York Times reported last month that Colonial Pipeline’s ransom payout had moved out of DarkSide’s Bitcoin wallet, though it was not clear who had orchestrated the move.

On Monday, the government filled in some of the blanks. DarkSide operates by providing ransomware to affiliates. In exchange, DarkSide reaps a cut of their profits.

Officials said they had identified a virtual currency account, often referred to as a wallet, that DarkSide used to collect payment from a ransomware victim — identified in court papers only as Victim X, but whose hacking details match Colonial’s. The officials said that a magistrate judge in the Northern District of California had approved a warrant on Monday to seize funds from the wallet.

The F.B.I. began investigating DarkSide last year and identified more than 90 victims across multiple sectors of the economy, including manufacturing, law, insurance, health care and energy, Paul M. Abbate, the deputy director of the F.B.I., said at the news conference.

DarkSide first surfaced in August and is believed to have started as an affiliate of another Russian hacking group, called REvil, before opening its own operation last year.

By Katie Benner and Nicole Perlroth, The New York Times, 7 June 2021

Read more at The New York Times

RiskScreen: Eliminating Financial Crime with Smart Technology

You can claim CPD minutes for this content, by signing up to our CPD Wallet