The Department of Justice seized nearly 64 bitcoins, worth about $2.3 million. The action was made possible by a search warrant authorized by U.S. Magistrate Judge Laurel Beeler. In an affidavit (pdf) supporting the warrant application, authorities said they reviewed bitcoin’s public ledger and pinpointed the transfer of the ransom to a specific address. They then obtained the private key, or the rough equivalent of a password, required to access the assets. It’s not clear how agents obtained the key. The warrant (pdf) authorized them to seize property located in the Northern District of California.
“The sophisticated use of technology to hold businesses and even whole cities hostage for profit is decidedly a 21st century challenge. But the old adage follow the money still applies. And that’s exactly what we do,” Lisa Monaco, deputy attorney general, told a press conference in Washington.
Colonial Pipeline reported on May 7 being attacked by a hacking organization called DarkSide, which utilized ransomware, or malicious software, to lock portions of its network. The group then demanded payment to unlock the network.
Colonial told the FBI that it paid DarkSide approximately 75 bitcoins in ransom, worth $4.4 million at the time. Colonial’s CEO, Joseph Blount, later called it “the right thing to do for the country” to enable pipeline operations to be restored.
The attack led to Colonial taking its 5,500-mile conduit offline. Combined with a dearth of fuel truck drivers, the situation produced outages at tens of thousands of gas stations in the southeast and a jump in fuel prices.
Bitcoin is the foremost cryptocurrency in terms of value. A single bitcoin hit over $60,000 this year, though the price has since declined to $34,000. Bitcoin is a payment method that relies on disparate nodes to check transactions, which are recorded in public logs. People receiving and sending bitcoin can remain anonymous, though holders have seen a rising number of regulations in the United States.
DarkSide, which claimed last month that it was disbanding, is one of over 100 ransomware-as-a-service networks that the FBI is currently probing. The networks provide tools to others to attack businesses and governments, in return for a share of the proceeds. Experts say ransomware attacks have proliferated in recent years, and the money attackers have hauled in has grown exponentially.
“Today, we turned the tables on DarkSide by going after the entire ecosystem that fuels ransomware and digital extortion attacks, including criminal proceeds in the form of digital currency,” Monaco said.
“The extortionists will never see this money,” added Stephanie Hinds, acting U.S. attorney for the Northern District of California.
Officials urged organizations to invest in cybersecurity defense and heightened prevention measures before getting hit. If an attack does happen, victims are encouraged to work with law enforcement.
“The message we’re sending today is that if you come forward and work with law enforcement, we may be able to take the type of action that we took today to deprive the criminal actors of what they’re going after here, which is the proceeds of their criminal scheme,” Monaco said.
Blount said Colonial was grateful for the FBI’s work.
“Holding cyber criminals accountable and disrupting the ecosystem that allows them to operate is the best way to deter and defend against future attacks of this nature,” he said in a statement. “The private sector also has an equally important role to play and we must continue to take cyber threats seriously and invest accordingly to harden our defenses.”