The US Department of Justice (DoJ) has seized more than $2.3 million in bitcoin that was allegedly destined to line the pockets of those behind the Colonial Pipeline ransomware attack.
The funds are said to represent a “significant portion” of the proceeds of a ransom payment to those in the ‘DarkSide’ cybercrime group who targeted Colonial Pipeline in May, resulting in critical US infrastructure being temporarily taken out of operation.
Feds-in-the-Middle
After its corporate IT network was compromised in early May, Colonial Pipeline informed the FBI it had paid a ransom demand of approximately 75 bitcoin ($4.3 million), according to a DoJ news release issued yesterday (June 9).
As alleged in a supporting affidavit (PDF), after reviewing the bitcoin public ledger, law enforcement was able to track multiple transfers and “identify that approximately 63.7 bitcoins had been transferred to a specific address”.
“This bitcoin represents proceeds traceable to a computer intrusion and property involved in money laundering and may be seized pursuant to criminal and civil forfeiture statutes,” the DoJ said.
The FBI was able to extract the funds after obtaining the private key associated with the primary DarkSide bitcoin address.
“Despite the extraordinary lengths the criminals took to cover the digital tracks of their ill-gotten gains, FBI San Francisco’s investigative team was relentless and used all technical means to make this seizure,” said FBI special agent, Craig Fair.
“Hackers and other cybercriminals simply cannot rely on cryptocurrency to evade the reaches of law enforcement.”
Bowing to demands
Spanning nearly 9,000km between Texas and New York, the Colonial Pipeline is the largest pipeline system for refined oil products in the US. It has the capacity to carry up to 3 million barrels a day between Texas and New York.
In the days following the ransomware attack, unconfirmed reports were circulating that Colonial Pipeline had paid up to $5 million in order to regain access to its systems.
The news sparked yet more warnings from both security analysts and the FBI against the payment of ransoms by victim organizations or individuals, for fear of creating a ‘cybercrime feedback loop’.
Akin to the prevailing policies that many nations take against refusing to negotiate with those involved in carrying out maritime kidnappings, proponents of the non-payment of ransomware demands say this is the only way to ensure these types of cyber-attacks will cease.
Source: https://portswigger.net/daily-swig/colonial-pipeline-cyber-attack-us-authorities-seize-2-3m-in-darkside-ransomware-payments
