Investigators seized about 64 bitcoin, valued at roughly $2.3 million, from a virtual wallet—the alleged proceeds from the ransom hack carried out by a suspected Russian-based criminal gang on Colonial Pipeline Co., the Justice Department said.
“The extortionists will never see this money,” Stephanie Hinds, acting U.S. attorney for the Northern District of California, where the seizure warrant was obtained, told reporters. “This case demonstrates our resolve to develop methods to prevent evildoers from converting new methods of payment into tools and extortion for undeserved profits.”
Senior Biden administration officials have in recent weeks characterized ransomware, in which criminals take an organization’s data or computer system hostage for ransom, as an urgent national-security threat. In just the past month ransomware attackers linked to Russia have threatened the nation’s fuel and meat supply, and poorly defended school systems, hospitals and local governments have suffered increasingly frequent ransomware attacks.
Ransomware has also become a diplomatic issue for the U.S., because the perpetrators of the attacks often appear to reside in countries unwilling to extradite them to the U.S., like Russia or North Korea. President Biden and other officials have said there is no evidence the Russian government was involved in the Colonial attack, but have condemned Russian President Vladimir Putin for allowing criminal hackers to target the U.S. freely. Mr. Biden intends to discuss the matter with Mr. Putin at their summit in Geneva on June 16.
“One of the things that President Biden will make clear to President Putin when he sees him is that states cannot be in the business of harboring those who are engaged in these kinds of attacks,” Secretary of State Antony Blinken said Monday in congressional testimony.
Mr. Putin has broadly denied Western accusations about cyberattacks originating in Russia and said on Russian state television last week that it was absurd to suggest any Russian involvement in recent ransomware attacks
Last month Colonial Pipeline, which transports gasoline, diesel, jet fuel and other refined products from the Gulf Coast to Linden, N.J., was shut down for six days as the company responded to the ransomware attack on its business systems. The company voluntarily took the pipeline offline due to concerns the hack would spread, and the stoppage spurred a run on gasoline along parts of the East Coast that pushed prices to the highest levels in more than six years and left thousands of gas stations without fuel.
The FBI officially discourages victims from paying ransoms because doing so can fuel a booming criminal marketplace and often won’t actually result in the restoration of the frozen computer systems. But the pipeline company’s Chief Executive Officer Joseph Blount told The Wall Street Journal the company paid $4.4 million to the hackers because executives were unsure how badly the cyberattack had breached its systems or how long it would take to bring the pipeline back online.
The ransom amounted to 75 bitcoin, a person familiar with the payment said, of which 64 was recovered. Because the cryptocurrency fluctuates dramatically in value, the dollar value recovered was only a little more than half the dollar value of the ransom payment.
In a statement Monday, Mr. Blount said Colonial plans to keep sharing “intelligence and learnings” with federal agencies, and that its goal was to help other critical infrastructure companies harden their cyber defenses and collaborate across industries to thwart attacks.
“Holding cyber criminals accountable and disrupting the ecosystem that allows them to operate is the best way to deter and defend against future attacks of this nature,” Mr. Blount said.
Mr. Blount is scheduled to testify at the Senate about the hack and pipeline outage on Tuesday and again before a House committee on Wednesday.
On Monday investigators obtained a seizure warrant from a magistrate judge in northern California that enabled authorities working with Colonial Pipeline to capture the bitcoin from the virtual wallet linked to the hacking group.
The FBI had tracked Colonial’s ransom payment across several bitcoin addresses in May, court documents show.
Law-enforcement officials often work with private-sector analysts who can track cryptocurrency transactions across public ledgers known as blockchains. By mapping clusters of virtual wallets and cross-referencing their transactions with intelligence about hacks, analysts say, they are able to reliably trace many ransom payments.
Upon receiving payouts from victims such as Colonial, hackers often switch funds among several wallets to cover their tracks or pay affiliates, as well as convert ransoms to different cryptocurrencies or hard money at exchanges. Law-enforcement officials can step in with search warrants and seize funds from the exchanges, analysts say.
“Because bitcoin transactions are available on a publicly distributed ledger, in many cases law enforcement can trace bitcoin payments and track stolen funds,” said Sujit Raman, a former senior Justice Department official. “When cybercriminals use bitcoin, that can sometimes be more traceable than just using cash or fiat currency.”
U.S. law enforcement have previously seized ransomware proceeds and other cryptocurrency sums, including more than $1 million tied to a Palestinian militant group last year. Officials Monday indicated they intended to more frequently seek to recover funds paid to ransomware operators to disincentivize the activity.
Administration officials and some lawmakers have in recent weeks called for consideration of tighter regulations of digital currencies, noting they have enabled ransomware groups and other criminals to extort victims.
The FBI has previously blamed the Colonial Pipeline attack on DarkSide, a prolific ransomware group that U.S. officials say is based in Russia and that security researchers say has made tens of millions over the past year, often by sharing its malware with affiliate criminals and then splitting proceeds. Tom Robinson, co-founder of blockchain analytics firm Elliptic, which tracked the Colonial-to-DarkSide transaction, said the amount seized appears to represent DarkSide affiliates’ share of the stash.
Investigators have identified over 90 victims of DarkSide ransomware across several critical infrastructure sectors, including manufacturing, legal, insurance, healthcare and energy, FBI Deputy Director Paul Abbate said Monday.
DarkSide told associates last month that it was shutting down in the wake of the pipeline hack, citing pressure from U.S. law enforcement. Security researchers, however, said it is not uncommon for ransomware groups such as DarkSide to disband, only to pop up later under a different name.