DOJ says it has recovered millions in cryptocurrency ransom paid to Colonial Pipeline

Federal officials have recovered $2.3 million in cryptocurrency paid to the hackers who attacked the Colonial Pipeline, the Justice Department said Monday.

Deputy Attorney General Lisa Monaco said investigators have retrieved 63.7 bitcoins, now valued at about $2.3 million, paid by Colonial Pipeline, which operates a network that provides nearly half of the East Coast’s fuel.

The company last month paid nearly $5 million to the Russian hackers in difficult-to-trace cryptocurrency within hours after the May 7 attack, which prompted the company to shut down its operations. The company’s willingness to pay the ransom underscored the dire situation that led to gasoline shortages, long lines at the pump and price gouging along the East Coast.

Once the hackers received the payment, they provided an operator with a decrypting tool to restore its disabled computer network. The tool was so slow that the company used its own tools to reboot the system.

Paul Abbate, deputy director of the FBI, said investigators tracked Colonial Pipeline’s payment to a cryptocurrency wallet used by DarkSide, the Russian-based hacking group linked to the attack.

“Using law enforcement authority, victim funds were seized from that wallet, preventing DarkSide actors from using them,” Mr.Abbate said at a Justice Department press conference.

The bitcoin wallet was hosted on a network located in Northern California, according to court documents. That made it easier for law enforcement to retrieve the funds than if the money had been stored on an overseas network.

Ransoms are rarely recovered in cyberattacks, hurting victims’ bottom lines and creating a windfall for criminals.

The FBI discourages businesses from paying ransomware to hackers, saying there is no guarantee they will follow through on promises to restore a file. It also provides hackers with an incentive to continue terrorizing businesses, the bureau said.

The amount paid by ransomware victims increased by 311% in 2020, reaching nearly $350 million in cryptocurrency, according to an April report by the Institute for Security and Technology’s Ransomware Task Force. The average ransomware payment last was $312,493, according to the report.

Mr. Abbatte urged companies to report ransomware attacks to the FBI.

“Victim reporting not only gives us the information we need to have an immediate real-world impact on actors … it can also prevent future harm from occurring,” he said.

Ransomware attacks have increased over the past year, becoming a major threat for businesses and government agencies. JBS USA, one of the country’s largest meat suppliers, revealed last week it was the target of a cyberattack.

The FBI has linked that attack to REVil, another Russian-based hacking group. President Biden has pressed Russia to take “decisive action” against hackers hiding within its borders.

Sign up for Daily Newsletters