U.S. Seizes Share of Ransom From Hackers in Colonial Pipeline Attack

Investigators traced 75 Bitcoins worth more than $4 million through nearly two dozen cryptocurrency accounts.



By Katie Benner and Nicole Perlroth

WASHINGTON — The Justice Department said on Monday that it had seized much of the ransom that a major U.S. pipeline operator had paid last month to a Russian hacking collective, turning the tables on the hackers by reaching into a digital wallet to snatch back millions of dollars in cryptocurrency.

Investigators in recent weeks traced 75 Bitcoins worth more than $4 million that Colonial Pipeline had paid to the hackers as the attack shut down its computer systems, prompting fuel shortages, a spike in gasoline prices and chaos at airlines.

Federal investigators tracked the ransom as it moved through a maze of at least 23 different electronic accounts belonging to DarkSide, the hacking group, before landing in one that a federal judge allowed them to break into, according to law enforcement officials and court documents.

The Justice Department said it seized 63.7 Bitcoins, valued at about $2.3 million. (The value of a Bitcoin has dropped over the past month.)

“The sophisticated use of technology to hold businesses and even whole cities hostage for profit is decidedly a 21st-century challenge, but the old adage ‘follow the money’ still applies,” Lisa O. Monaco, the deputy attorney general, said at the news conference at the Justice Department.

Law enforcement officials highlighted the seizure in an effort to warn cybercriminals that the United States planned to take aim at their profits, which are often gained through cryptocurrencies like Bitcoin. It was also intended to encourage victims of ransomware attacks — which occur every eight minutes, on average — to notify the authorities to help recover ransoms.

For years, victims have opted to quietly pay cybercriminals, calculating that the payment would be cheaper than rebuilding data and services. Though the F.B.I. discourages ransom payments, they are legal and even tax deductible. But the payments — which collectively total billions of dollars — have funded and emboldened ransomware groups.

Justice Department officials said that Colonial’s willingness to quickly loop in the F.B.I. helped recoup the ransom portion, and they credited the company for its role in a first-of-its-kind effort by a new ransomware task force in the department to hijack a cybercrime group’s profits.

“We must continue to take cyberthreats seriously and invest accordingly to harden our defenses,” Joseph Blount, the chief executive of Colonial, said in a statement. Mr. Blount said that after his company contacted the F.B.I. and the Justice Department to notify them of the attack, investigators helped Colonial understand the hackers and their tactics.

The Justice Department’s announcement also came before President Biden’s scheduled meeting with President Vladimir V. Putin of Russia next week in Geneva, where Mr. Biden is expected to address what American officials see as the Kremlin’s willingness to provide protection for hackers. Russia typically does not arrest or extradite suspects in ransomware attacks.

Source: Read Full Article