The US Department of Justice (DOJ) has seized 63.7 bitcoins, worth around $2.8 million, it alleges Colonial Pipeline paid to the DarkSide ransomware group during last month’s cyber attack that disrupted America's domestic fuel supply.
Although the seizure does not represent all the 75-bitcoin ransom Colonial coughed up to end the attack, US Deputy Attorney General Lisa Monaco said it was a step toward limiting the effectiveness of ransomware.
“Ransom payments are the fuel that propels the digital extortion engine,” Monaco said in a press statement.
“The United States will use all available tools to make these attacks more costly and less profitable for criminal enterprises.
“We will continue to target the entire ransomware ecosystem to disrupt and deter these attacks.”
In an affidavit shared by the DOJ, an Federal Bureau of Investigations (FBI) agent runs through how they tracked the bitcoins’ movements from one wallet address to another on the public blockchain.
The funds bounced between half a dozen different addresses before their bulk finally came to rest in a bitcoin address for which the FBI somehow had the private keys.
The affidavit does not say how or why the FBI came to have the keys to this bitcoin address.
When Californian judge Laurel Beeler put her signature to the seizure warrant on Monday, the FBI and DOJ began to take full control of the $2.8 million in bitcoin.
FBI Special agent Craig Fair said the agency was “relentless” in recovering this bitcoin.
“Hackers and other cybercriminals simply cannot rely on cryptocurrency to evade the reaches of law enforcement,” he said.
#Breaking: #FBI San Francisco led a U.S. government operation to seize $2.3 million in cryptocurrency paid to the ransomware extortionists Darkside, which had targeted Colonial Pipeline resulting in critical infrastructure being taken out of operation. pic.twitter.com/v8zWs34fOJ— FBI SanFrancisco (@FBISanFrancisco) June 7, 2021
Colonial Pipeline has been a lesson in humility for cyber crooks.
The widespread chaos it caused brought unwanted scrutiny to hacking forums where groups recruited new members, causing the forum operators to declare that ransomware activity was no longer wanted.
Now, for all the bad publicity, the hackers have also lost their profits.
But while the announcement is a welcome victory in the ongoing fight against ransomware, cyber expert Chris Grove from Nozomi Networks said the war is far from over.
“We can't lose sight of the fact that for every Colonial happy ending story, there are 25 not-so-lucky victims we can also discuss,” he said.
“And for every 25 we can discuss, there are 100 we can't. And for every 100 we know about, but can't discuss, there are another 1,000 we don't even know about.
“We need to keep the eye on the ball by continuing to build our defences.”
Ongoing attacks are also a source of geopolitical tension.
Following the recent ransomware attack on JBS Foods, which brought the world’s largest meat processing company to a grinding halt, the White House said US President Joe Biden would discuss the ransomware scourge with Russian President Vladimir Putin when the two meet at a summit in Geneva next week.
White House Deputy Press Secretary Karine Jean-Pierre previously said the administration was trying to get the message across to Russia that “responsible states do not harbour ransomware criminals”.
Cyberspace has been an ongoing battleground for the former Cold War enemies with the US delivering sanctions on Russia earlier this year in response to the SolarWinds attack that saw hackers infiltrate various branches of government and big business.