The US Department of Justice on Monday said it has recovered 63.7 Bitcoins, right now worth $2.1m and falling, of the 75 or so BTC the Colonial Pipeline operators paid the ransomware miscreants who infected the fuel provider's computers.
Deputy Attorney General Lisa Monaco said Colonial contacted the Feds shortly after some of its internal IT systems were infected by the extortionware in early May, causing a temporary halt in operations. The days-long shutdown of the pipeline, which supplies a good chunk of the US East Coast, led to panic buying and some gas pumps running dry.
A ransom of about $5m or 75 BTC was paid to the Darkside crew behind the attack.
It turns out the Feds were able to trace this payment through multiple transactions to "a specific address, for which the FBI has the 'private key',” the DoJ said. "This Bitcoin represents proceeds traceable to a computer intrusion and property involved in money laundering, and may be seized pursuant to criminal and civil forfeiture statutes."
How the FBI had this private key is not entirely clear: it could be that the Feds were able to gain access to a system hosting the key. It could be that someone gave them the key, or that the bureau got the key from them. Darkside complained in the middle of May that its servers had been seized and its money taken.
So it is quite possible Darkside's infrastructure was commandeered by the Feds, who were able to return the 75 BTC ransom minus the fee already paid by the ransomware gang to their affiliate that did the actual job of infecting the Colonial Pipeline's computers – which was said to have occurred via a compromised VPN account.
This court filing [PDF] goes into more detail on how agents traced the ransom payment.
"It's not the first time that the government has ever seized cryptocurrency in connection with ransomware attacks," said Monaco. "This is the first such seizure that the ransomware and digital taskforce has undertaken."
The Deputy AG continued that the Bitcoin seizure – authorized by a magistrate judge in California – was only possible because the Colonial Pipeline's operators got the FBI involved early in the process. She urged other victims of ransomware to come forward: there was no guarantee funds could be found and returned, she said, though cooperation was vital to slow the spread of the malware.
“For financially motivated cybercriminals, especially those presumably located overseas, cutting off access to revenue is one of the most impactful consequences we can impose,” said FBI Deputy Director Paul Abbate at a press conference on Monday. "We can have an immediate and permanent effect on ransomware." ®