The Justice Department said on Monday that it had recovered much of the ransom paid to hackers last month who shut down the computer systems of Colonial Pipeline, a critical pipeline operator.
Colonial had paid a ransom worth roughly $4.4 million in Bitcoin to the Russian hacking group DarkSide after it used ransomware, a form of malicious software, to hold up the company’s business networks in May. That payment cleared the way for Colonial to resume pumping fuel through its pipeline, which stretches from Texas to New Jersey and accounts for nearly half of all transport fuels that flow up the East Coast.
The seizure on Monday marked a first-of-its-kind effort by a new Justice Department task force to hijack a cybercriminal group’s profits through a hack of its Bitcoin wallet. The Justice Department said that it had seized 63.7 Bitcoins, currently valued at about $2.3 million. (The value of a Bitcoin has dropped over the past month.)
“Earlier today, the Department of Justice has found and recaptured the majority of the ransom Colonial paid to the DarkSide network,” the deputy attorney general, Lisa O. Monaco, said at a news conference Monday.
“Using technology to hold businesses, and even whole cities, hostage for profit is decidedly a 21st-century challenge, but the old adage, ‘follow the money,’ still applies,” Ms. Monaco said.
Officials said that they identified a virtual currency account, often referred to as a “wallet,” that DarkSide had use to collect payment from one of its ransomware victims, and that a magistrate judge in the Northern District of California had granted a warrant to seize funds from the wallet earlier in the day.
The New York Times had earlier reported that Colonial Payment’s ransom payout — as well as that of a German company, Brenntag — had been removed from DarkSide’s Bitcoin wallet, though it was not clear who had orchestrated the move.
Colonial shut down its pipeline in response to the cyberattack, which included hackers threatening to release the company’s data to the public, setting off panic buying and a fuel shortage that sent gas prices soaring and forced airlines to make extra fuel stops.
Weeks after DarkSide attacked Colonial, hackers associated with a Russian hacking group called Revil, used ransomware in an attempt to extort money from JBS, the world’s largest meat processor. The attack forced JBS to shutter nine U.S. beef plants and disrupted poultry and pork plants. Cybersecurity researchers said that DarkSide is an offshoot of Revil.
The back-to-back attacks showed that hackers who once focused on stealing corporate secrets have begun to disrupt critical infrastructure. And the episodes raised questions about whether U.S. corporations could protect themselves against cyberthreats.
The White House held emergency meetings to address the attack, which led the Biden administration to make a series of announcements related to cyberattacks and ransomware.