In a major blow, the U.S. Department of Justice on Monday said it has recovered 63.7 bitcoins (currently valued at $2.3 million) paid by Colonial Pipeline to the DarkSide ransomware extortionists on May 8, pursuant to a seizure warrant that was authorized by the Northern District of California.
The ransomware attack also hobbled the pipeline company's fuel supply, prompting the government to issue an emergency declaration, even as the company shelled out a ransom amount of approximately 75 bitcoins ($4.4 million as of May 8) to regain access to its systems.
A week after the highly publicized incident, the ransomware-as-a-service syndicate disbanded with a May 14 farewell message to affiliates, stating that its internet servers and cryptocurrency stash were seized by unknown law enforcement entities. While DarkSide's announcement was perceived as an exit scam, the latest move from DoJ confirms earlier speculations of law enforcement involvement.
Stating that "ransom payments are the fuel that propels the digital extortion engine," the DoJ said it followed the money trails left by the DarkSide gang to a specific bitcoin address by reviewing the Bitcoin public ledger, to which the proceeds of the ransom payment were transferred, ultimately using the "private key" the FBI had in its possession to access crypto assets stored in the wallet in question.
"There is no place beyond the reach of the FBI to conceal illicit funds that will prevent us from imposing risk and consequences upon malicious cyber actors," said FBI Deputy Director Paul Abbate. "We will continue to use all of our available resources and leverage our domestic and international partnerships to disrupt ransomware attacks and protect our private sector partners and the American public."
It's not immediately clear how the intelligence agency came to have the private key, but DarkSide had previously claimed to have lost access to one of their payment servers.
Blockchain analytics firm Elliptic, which had identified the bitcoin transaction representing the Colonial Pipeline ransom payment, said the seized bitcoins represent 85% of the total ransom amount which is typically reserved for affiliates, with the rest going to the DarkSide developers. The Bitcoin address was emptied at around 1:40 p.m. ET on Monday, Dr. Tom Robinson, Elliptic's co-founder and chief scientist, said.
If anything, the seizure marks a first-of-its-kind orchestrated effort led by the DoJ's newly formed Ransomware and Digital Extortion Task Force to confiscate a cybercriminal cartel's illicit profits by breaking into its bitcoin wallet using its private key likely stored in the seized servers, as implied in the warrant.
"Holding cyber criminals accountable and disrupting the ecosystem that allows them to operate is the best way to deter and defend against future attacks of this nature," Colonial Pipeline CEO Joseph Blount said in the statement. "The private sector also has an equally important role to play and we must continue to take cyber threats seriously and invest accordingly to harden our defenses."